It depends on how you implemented the nonce.<br><br>I really haven't look into this specific vuln, I've just happened on the emails you guys were sending around... but assuming you have implemented a site-wide nonce implementation that is page specific, form specific, user specific, uses timed expiration, and requires authentication... it would be hard to utilize the reflection attack in any meaningful way other than attack yourself.<br>
<br>I would never assume that it would be impossible, most of the time it is the conglomeration of vulnerabilities that allow an attack to do meaningful things.<br><br>-Matt<br><br><div class="gmail_quote">On Tue, May 6, 2008 at 3:17 AM, Reto Hugi <<a href="mailto:plog@hugi.to" target="_blank">plog@hugi.to</a>> wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><div>Jon Daley wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
I must really not be getting XSS then. If every post has to have a token on it, how would someone guess the token in order to have the javascript be accepted and displayed on the screen at all? I'd expect the token to be checked first, and simply die() if it doesn't match.<br>
I can't figure out a scenario where an attacker would be able to get javascript displayed on the screen to be executed within the context of that domain to steal a cookie, or do anything.<br>
<br>
</blockquote>
<br></div>
Jon, you're right on that very example. But I suppose we won't implement<br>
the CSRF Check (i.e. the nonce check) on every request, but only on the<br>
ones writing to the database (that's where CSRF is the most dangerous).<br>
And therefore we still need to make sure we are not vulnerable to xss.<br>
<br>
it was probably good to have this discussed once again. it's the only<br>
way we all get the same understanding of those attacks :)<br>
<br>
@matt: or do you see a possibility of exploiting our xss vuln. *if* we<br>
had implemented the nonce on every request (that's the scenario jon is<br>
thinking about...)<div><div></div><div><br>
<br>
_______________________________________________<br>
pLog-svn mailing list<br>
<a href="mailto:pLog-svn@devel.lifetype.net" target="_blank">pLog-svn@devel.lifetype.net</a><br>
<a href="http://limedaley.com/mailman/listinfo/plog-svn" target="_blank">http://limedaley.com/mailman/listinfo/plog-svn</a><br>
</div></div></blockquote></div><br>