[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [WEB SECURITY] Article about HttpOnly

From: "Brian Eaton" <eaton.lists@xxxxxxxxx>
Subject: Re: [WEB SECURITY] Article about HttpOnly
Date: Thu, 31 Aug 2006 09:28:15 -0400

On 8/31/06, Kanatoko <anvil@xxxxxxxxxxx> wrote:


Brian Eaton wrote:
> If somebody knows of CSRF protection techniques that can
> survive an XSS hole in the application, I'd love to hear about them.

How about requireing password (again)?


That's a start.  I see three issues.

1) Javascript malware injected through the XSS hole could watch the keystrokes.
2) Javascript malware could change the message on the confirmation
page, so that the user doesn't realize what he is confirming.
3) It bugs people.  It's just bad from a usability perspective.

Regards,
Brian

---------------------------------------------------------------------------- The Web Security Mailing List: http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: http://www.webappsec.org/lists/websecurity/archive/ http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

References:
- Re: [WEB SECURITY] Article about HttpOnly
  - From: RSnake
- Re: [WEB SECURITY] Article about HttpOnly
  - From: Brian Eaton
- Re: [WEB SECURITY] Article about HttpOnly
  - From: Kanatoko

Prev by Date: Re: [WEB SECURITY] Time Parameter For Expiration of the Session
Next by Date: Re: [WEB SECURITY] Article about HttpOnly
Previous by thread: Re: [WEB SECURITY] Article about HttpOnly
Next by thread: [WEB SECURITY] Ruby On Rails 1.1.5 Released to Address Critical Vulnerability
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site