On 2015-11-02 15:00:19 +0000, Brian wrote: > On Mon 02 Nov 2015 at 14:58:24 +0100, Vincent Lefevre wrote: > > > On 2015-11-02 13:47:41 +0000, Brian wrote: > > > On Mon 02 Nov 2015 at 14:17:39 +0100, Vincent Lefevre wrote: > > > > The user's browser cannot compromise the site itself. But a security > > > > bug may permit an attacker to get the user's login and password, and > > > > neither the bank nor the user would like this. > > > > > > Would this obtaining of the password be before or after encryption > > > takes place? > > > > With an XSS[*] vulnerability, before. > > > > [*] https://en.wikipedia.org/wiki/Cross-site_scripting > > Quoting from that page: > > XSS enables attackers to inject client-side script into web pages > viewed by other users. > > The bank's site would be compromised. It wouldn't matter what user-agent > string was sent by the user.
No, the injection happens locally (after the web page is fetched), in the user's browser, not remotely. -- Vincent Lefèvre <vinc...@vinc17.net> - Web: <https://www.vinc17.net/> 100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/> Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)
