Re: Origin enables XSS to escalate to XSRF (was: security issue with XMLHttpRequest API compatibility)

[- all but Adam and pubic-webapps]

On Sun, Jun 7, 2009 at 3:24 PM, Adam Barth <w3c@adambarth.com> wrote:

> On Sun, Jun 7, 2009 at 2:53 PM, Mark S. Miller <erights@google.com> wrote:
> > If servers at A don't freely hand out such tokens in response to
> guessable GET
> > requests, then the secret token prevents XSS-at-A-attacker's XSRF against
> B
> > from abusing the authority that B associates with A.
>
> I don't see what GET has to do with it.  In any case, the XSS attacker
> can always enter the site at the home page (e.g., http://example.com/)
> and follow whatever obscure links exist until it reaches the page that
> contains the token.[...]


If the starting point "http://example.com/" is guessable, then the XSS
attacker thereby succeeds at obtaining the token only if the server at
example.com hands out the token in response to a guessable sequence of GET
requests.

If the starting point is not guessable, then I don't understand your
example.

-- 
   Cheers,
   --MarkM

Received on Sunday, 7 June 2009 22:47:26 UTC