On Oct 6, 2006, at 1:04 PM, [EMAIL PROTECTED] wrote:
1) Joe Bloggs logs into my website and has an active session.
2) Clicks on a link (either from an email or from content posted
on my
site) to http://www.malicious-site.com/index.html
3) That index page contains an tag
3) Instead of servin
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Fri, Oct 06, 2006 at 05:14:47PM +0200, Clinton Gormley wrote:
> > Users:
[...]
> > OK, now call me names :-)
> >
>
> Neither of these options will work. Consider this scenario.
>
> 1) Joe Bloggs logs into my website and has an active session.
>
On Oct 6, 2006, at 10:35 AM, Clinton Gormley wrote:
I'm testing my current site for XSS vulnerabilities, and I came across
this one on:
http://ha.ckers.org/xss.html
well, not MP related but
if you let users embed flash / etc in profile pages, make sure you
strip object tags -- just use th
> That's part of it, but it's not a complete solution.
>
> That particular attack vector is called CSRF, cross-site request
> forgeries. RSnake's XSS cheatsheet demonstrates using XSS on your own
> site to launch the attack, but it can also be launched from any other
> web site where your users v
> Users:
> * switch off Javascript (and any other active content)
> * avoid pages unusable without active content
>
> Developers:
> * always offer working alternatives to active content (page
> must be usable with no JS, no Java, no Flash (I won't talk
> about other client-side monst
Clinton Gormley wrote:
> How would you avoid this? Only take parameters from the
> POST data?
That's part of it, but it's not a complete solution.
That particular attack vector is called CSRF, cross-site request
forgeries. RSnake's XSS cheatsheet demonstrates using XSS on your own
site to launch
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Fri, Oct 06, 2006 at 04:35:22PM +0200, Clinton Gormley wrote:
> I'm testing my current site for XSS vulnerabilities, and I came across
> this one on:
>
> http://ha.ckers.org/xss.html
[...]
> Now this is an interesting one... How would you avoid th
