W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2009

Re: Origin enables XSS to escalate to XSRF (was: security issue with XMLHttpRequest API compatibility)

From: Adam Barth <w3c@adambarth.com>
Date: Sun, 7 Jun 2009 23:18:35 -0700
Message-ID: <7789133a0906072318g74df719bo6cf65e9c318a620d@mail.gmail.com>
To: "Mark S. Miller" <erights@google.com>
Cc: public-webapps <public-webapps@w3.org>
On Sun, Jun 7, 2009 at 6:24 PM, Mark S. Miller <erights@google.com> wrote:
> On Sun, Jun 7, 2009 at 4:29 PM, Adam Barth <w3c@adambarth.com> wrote:
>>
>> Right, but once the attacker has XSSed site A, the attacker learns the
>> secret token necessary to issue the next request in the chain to site
>> A regardless of the method.
>
>
> Recall that this is in response to
>
> On Sun, Jun 7, 2009 at 2:53 PM, Mark S. Miller <erights@google.com> wrote:
>>
>> If servers at A don't freely hand out such tokens in response to guessable
>> GET requests,
>
> So, if servers at A don't do this, how does the attacker, having XSSes site
> A, learn the secret token necessary to issue the next request?

The same way the user does: by generating a click event on whatever
DOM element leads to the next page.

Adam
Received on Monday, 8 June 2009 06:19:28 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:31 GMT