Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Metrica Service Assurance Multiple Cross Site Scripting

From: kuza55 <kuza55 () gmail com>
Date: Sun, 9 Nov 2008 12:19:11 +1100
2008/11/9 rholgstad <rholgstad () gmail com>:

post auth xss

*yawn*


I don't quite see your point about it being post auth.
The URLs provided don't seem to have csrf tokens or anything else that
actually requires an attacker to have an account, so all you need to
do is find an authed victim, which is what you would have to do anyway
since attacking unauthed victims is usually pretty pointless (not that
you can't still perform useful attacks, but they're not always
possible or simple).

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: