Re: Origin enables XSS to escalate to XSRF (was: security issue with XMLHttpRequest API compatibility) from Mark S. Miller on 2009-06-08 (public-webapps@w3.org from April to June 2009)

From: Mark S. Miller <erights@google.com>
Date: Sun, 7 Jun 2009 18:24:09 -0700
To: Adam Barth <w3c@adambarth.com>
Cc: public-webapps <public-webapps@w3.org>
Message-ID: <4d2fac900906071824y246e905cidbf651cc08f6668@mail.gmail.com>

On Sun, Jun 7, 2009 at 4:29 PM, Adam Barth <w3c@adambarth.com> wrote:
>
> Right, but once the attacker has XSSed site A, the attacker learns the
> secret token necessary to issue the next request in the chain to site
> A regardless of the method.
>

Recall that this is in response to

On Sun, Jun 7, 2009 at 2:53 PM, Mark S. Miller <erights@google.com> wrote:

> If servers at A don't freely hand out such tokens in response to guessable
> GET requests,


So, if servers at A don't do this, how does the attacker, having XSSes site
A, learn the secret token necessary to issue the next request?

-- 
   Cheers,
   --MarkM

Received on Monday, 8 June 2009 01:33:50 UTC