[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [WEB SECURITY] Article about HttpOnly

From: "Amit Klein (AKsecurity)" <aksecurity@xxxxxxxxxx>
Subject: Re: [WEB SECURITY] Article about HttpOnly
Date: Sat, 12 Aug 2006 18:16:48 +0200

On 11 Aug 2006 at 18:45, Brian Eaton wrote:

> Yeah, that's a good point Chris.  You need to have a CSRF
> vulnerability to bootstrap into an exploit for the (reflected) XSS
> vulnerability.
> 

Well, just keep in mind that there are server-specific XSS vulnerabilities (e.g. Apache's 
Expect header XSS), 3rd party/sample code XSS, etc. - so XSS may exist outside your 
application, yet have effect on your anti-CSRF measures.

-Amit

----------------------------------------------------------------------------
The Web Security Mailing List: 
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Follow-Ups:
- RE: [WEB SECURITY] Article about HttpOnly
  - From: Chris Weber

References:
- RE: [WEB SECURITY] Article about HttpOnly
  - From: Chris Weber
- Re: [WEB SECURITY] Article about HttpOnly
  - From: Brian Eaton

Prev by Date: [WEB SECURITY] Re: [Full-disclosure] Re: [WEB SECURITY] Top sites for Application security news
Next by Date: [WEB SECURITY] (somewhat) breaking the same-origin policy by undermining dns-pinning
Previous by thread: Re: [WEB SECURITY] Article about HttpOnly
Next by thread: RE: [WEB SECURITY] Article about HttpOnly
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site