Re: [WEB SECURITY] RE: XSS-Phishing on Financial Sites (Tip of the iceberg)

[RSnake <rsnake@xxxxxxxxxxxx>]

> OTOH, let's say that someone on www.malicious.com wanted to link to
> ha.ckers.org.  You probably want to allow links from www.malicious.com
> to most of your pages, but probably not to the scripts that actually
> make changes to the site, e.g. the comment submission scripts.  Just
> for kicks, I poked around ha.ckers.org a bit to see what a CSL policy
> might look like.  How about this:

	Okay, what about this... I own http://ha.ckers.org/.  Someone
links an image to http://www.malicioussite.com/ which allows everything.
Malicious site redirects to a redirect hole in Google which sends the
user back to http://ha.ckers.org/blog/wp-comments-post

	I agree, I don't really want Google posting, so perhaps that's a
good example, but it's not a good example for many functions I might
want Google to send traffic to, legitimately, it's a tough call with
some functions.  A more realistic problem is I actually _might_ want
people to automatically send traffic to my comments function if someone
eventually builds an application to forward requests to my page to make
it easier for my users.  Again, you could argue that in that case I
should explicitly allow that one referrer in, and I might agree, but
wow... this is seeming like an administration nightmare, even on a small
site like mine.

-RSnake
http://ha.ckers.org/
http://ha.ckers.org/xss.html
http://ha.ckers.org/blog/feed/

----------------------------------------------------------------------------
The Web Security Mailing List: 
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]