[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [WEB SECURITY] Article about HttpOnly

From: "Chris Weber" <chris@xxxxxxxxxxx>
Subject: RE: [WEB SECURITY] Article about HttpOnly
Date: Tue, 15 Aug 2006 09:00:16 -0700

True.  Also, I found an XSS + format string bug in one of Struts API's as
well, and they never got back in touch with me after I emailed them about
it.

-----Original Message-----
From: Amit Klein (AKsecurity) [mailto:aksecurity@xxxxxxxxxx] 
Sent: Saturday, August 12, 2006 9:17 AM
To: Chris Weber; Brian Eaton
Cc: RSnake; Evert | Collab; websecurity@xxxxxxxxxxxxx
Subject: Re: [WEB SECURITY] Article about HttpOnly

On 11 Aug 2006 at 18:45, Brian Eaton wrote:

> Yeah, that's a good point Chris.  You need to have a CSRF 
> vulnerability to bootstrap into an exploit for the (reflected) XSS 
> vulnerability.
> 

Well, just keep in mind that there are server-specific XSS vulnerabilities
(e.g. Apache's Expect header XSS), 3rd party/sample code XSS, etc. - so XSS
may exist outside your application, yet have effect on your anti-CSRF
measures.

-Amit

----------------------------------------------------------------------------
The Web Security Mailing List: 
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

References:
- Re: [WEB SECURITY] Article about HttpOnly
  - From: Amit Klein (AKsecurity)

Prev by Date: [WEB SECURITY] Technical note: under some conditions, it's possible to steal HTTP credentials using Flash
Next by Date: [WEB SECURITY] "hack-me" Ajax apps?
Previous by thread: Re: [WEB SECURITY] Article about HttpOnly
Next by thread: Re: [WEB SECURITY] Article about HttpOnly
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org