- From: Adam Barth <w3c@adambarth.com>
- Date: Sun, 7 Jun 2009 15:54:21 -0700
- To: "Mark S. Miller" <erights@google.com>
- Cc: public-webapps <public-webapps@w3.org>
On Sun, Jun 7, 2009 at 3:46 PM, Mark S. Miller <erights@google.com> wrote: > [- all but Adam and pubic-webapps] > > On Sun, Jun 7, 2009 at 3:24 PM, Adam Barth <w3c@adambarth.com> wrote: >> >> On Sun, Jun 7, 2009 at 2:53 PM, Mark S. Miller <erights@google.com> wrote: >> > If servers at A don't freely hand out such tokens in response to >> > guessable GET >> > requests, then the secret token prevents XSS-at-A-attacker's XSRF >> > against B >> > from abusing the authority that B associates with A. >> >> I don't see what GET has to do with it. In any case, the XSS attacker >> can always enter the site at the home page (e.g., http://example.com/) >> and follow whatever obscure links exist until it reaches the page that >> contains the token.[...] > > If the starting point "http://example.com/" is guessable, then the XSS > attacker thereby succeeds at obtaining the token only if the server at > example.com hands out the token in response to a guessable sequence of GET > requests. GET really doesn't have anything to do with it. The attacker can issue POST requests (and really any other method) too. Note that the attacker can read the response and follow any links, etc. > If the starting point is not guessable, then I don't understand your > example. Virtually all sites have a well-known starting point, aka the home page. http://digg.com/ http://trac.webkit.org/ http://slashdot.org/ http://www.cnn.com/ etc. Not to pick on news sites... I just grabbed a few from my most-visited page. :) Adam
Received on Sunday, 7 June 2009 22:55:13 UTC