Full Disclosure mailing list archives
Re: [x0n3-h4ck.org] PayPal vulnerable to XSS
From: Jason <jason () strangelogic co uk>
Date: Mon, 06 Nov 2006 23:17:48 +0000
That's not exploitable. Remember that the "XS" in XSS stands for
"cross-site": you have to be able to trigger the scripting using ordinary requests from another site. To generate this cookie, you'd need to already have scripting access to the paypal.com domain - in which case you don't care anymore. Or you can use Flash to generate the raw headers you want to send. Visitor -> attacker site with flash -> PayPal site Visitor = exploited -- -- Jason Duke | Strange Logic Tel: +44 (0)20 8598 2280| jason () strangelogic com http://www.StrangeLogic.com The Search Engines We Find Them Strangely Logical -- -- Jason Duke | Strange Logic Tel: +44 (0)20 8598 2280| jason () strangelogic com http://www.StrangeLogic.com The Search Engines We Find Them Strangely Logical _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- [x0n3-h4ck.org] PayPal vulnerable to XSS corrado.liotta (Nov 06)
- Re: [x0n3-h4ck.org] PayPal vulnerable to XSS Andrew Farmer (Nov 06)
- Re: [x0n3-h4ck.org] PayPal vulnerable to XSS Thierry Zoller (Nov 06)
- Re: [x0n3-h4ck.org] PayPal vulnerable to XSS Andrew Farmer (Nov 06)
- Re: [x0n3-h4ck.org] PayPal vulnerable to XSS Jason (Nov 06)
- Re: [x0n3-h4ck.org] PayPal vulnerable to XSS Debasis Mohanty (Nov 06)
- Re: [x0n3-h4ck.org] PayPal vulnerable to XSS Thierry Zoller (Nov 06)
- Re: [x0n3-h4ck.org] PayPal vulnerable to XSS Andrew Farmer (Nov 06)