W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2009

Re: Origin enables XSS to escalate to XSRF (was: security issue with XMLHttpRequest API compatibility)

From: Adam Barth <w3c@adambarth.com>
Date: Sun, 7 Jun 2009 16:29:52 -0700
Message-ID: <7789133a0906071629p1541cb19g6b79e9d0ba876ba@mail.gmail.com>
To: "Mark S. Miller" <erights@google.com>
Cc: public-webapps <public-webapps@w3.org>
On Sun, Jun 7, 2009 at 4:18 PM, Mark S. Miller <erights@google.com> wrote:
> On Sun, Jun 7, 2009 at 3:54 PM, Adam Barth <w3c@adambarth.com> wrote:
>> GET really doesn't have anything to do with it.  The attacker can
>> issue POST requests (and really any other method) too.  Note that the
>> attacker can read the response and follow any links, etc.
> Recall that we were examining the GET hypothesis under the assumption that
> POSTs were already protected by secret tokens against XSRFs.

Right, but once the attacker has XSSed site A, the attacker learns the
secret token necessary to issue the next request in the chain to site
A regardless of the method.

Received on Sunday, 7 June 2009 23:30:51 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:12:54 UTC