Full Disclosure mailing list archives
Re: Metrica Service Assurance Multiple Cross Site Scripting
From: kuza55 <kuza55 () gmail com>
Date: Sun, 9 Nov 2008 12:19:11 +1100
2008/11/9 rholgstad <rholgstad () gmail com>:
post auth xss *yawn*
I don't quite see your point about it being post auth. The URLs provided don't seem to have csrf tokens or anything else that actually requires an attacker to have an account, so all you need to do is find an authed victim, which is what you would have to do anyway since attacking unauthed victims is usually pretty pointless (not that you can't still perform useful attacks, but they're not always possible or simple). _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Metrica Service Assurance Multiple Cross Site Scripting Francesco Bianchino (Nov 08)
- Re: Metrica Service Assurance Multiple Cross Site Scripting rholgstad (Nov 08)
- Re: Metrica Service Assurance Multiple Cross Site Scripting kuza55 (Nov 08)
- Re: Metrica Service Assurance Multiple Cross Site Scripting rholgstad (Nov 08)