[pLog-svn] xss in 1.2.7
Mark Wu
markplace at gmail.com
Mon May 5 22:25:10 EDT 2008
Matt:
ATM, you mean ATM machine? Why does it related to CSRF ?
Mark
_____
From: plog-svn-bounces at devel.lifetype.net
[mailto:plog-svn-bounces at devel.lifetype.net] On Behalf Of Matt Wood
Sent: Tuesday, May 06, 2008 10:11 AM
To: LifeType Developer List
Subject: Re: [pLog-svn] xss in 1.2.7
a nonce/token isn't a defense against XSS... it isn't even a very good
defense against CSRF, but the best we really know about ATM.
On Mon, May 5, 2008 at 5:41 PM, Jon Daley <plogworld at jon.limedaley.com>
wrote:
On Mon, 5 May 2008, Reto Hugi wrote:
But in most cases CSRF countermeasures become useless if you have XSS
vulnerabilities (remember: XSS means code injection in your html, means
possibility to grab nonces etc...)
Right, but if you don't even accept the POST in the first place, that
it doesn't matter what the content is, no matter where it came from, right?
_______________________________________________
pLog-svn mailing list
pLog-svn at devel.lifetype.net
http://limedaley.com/mailman/listinfo/plog-svn
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://limedaley.com/pipermail/plog-svn/attachments/20080506/52f13f71/attachment-0001.htm>
More information about the pLog-svn
mailing list