WebApp Sec mailing list archives
Re: Cross Context Scripting with Sage
From: bugtraq () cgisecurity net
Date: Mon, 11 Sep 2006 09:35:48 -0400 (EDT)
You'd be surprised just how many reader applications (remote and local) are affected by this issue. Besides the obvious zone context risks with these types of vulnerabilities you also can execute CSRF attacks against a wide user audience. One of the more interesting things that you can do involving RSS/Atom/Any Feed involves when a website uses a feed in order to display dynamic content, as well as those creating feeds from another feed. For those interested my blackhat slides can be found below, along with the occupying whitepaper. Paper: http://www.spidynamics.com/assets/documents/HackingFeeds.pdf Slides: http://www.cgisecurity.com/papers/RSS-Security.ppt RSS Security Repository: http://www.cgisecurity.com/rss/ - Robert http://www.cgisecurity.com/ Website Security news and more http://www.cgisecurity.com/index.rss [RSS Feed]
Cross Context Scripting in Firefox Sage Extension. http://www.gnucitizen.org/blog/cross-context-scripting-with-sage This proves that Firefox Extensions can be as dangerous as random flash or quicktime media files. Moreover, the POC provides a real example of how RSS feed Hacking really works. -- pdp (architect) http://www.gnucitizen.org
------------------------------------------------------------------------- Sponsored by: Watchfire Securing a web application goes far beyond testing the application using manual processes, or by using automated systems and tools. Watchfire's "Web Application Security: Automated Scanning or Manual Penetration Testing?" whitepaper examines a few vulnerability detection methods - specifically comparing and contrasting manual penetration testing with automated scanning tools. Download it today! https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008Vmm --------------------------------------------------------------------------
Current thread:
- Re: Cross Context Scripting with Sage bugtraq (Sep 13)