Re: Origin enables XSS to escalate to XSRF (was: security issue with XMLHttpRequest API compatibility)

On Sun, Jun 7, 2009 at 4:18 PM, Mark S. Miller <erights@google.com> wrote:
> On Sun, Jun 7, 2009 at 3:54 PM, Adam Barth <w3c@adambarth.com> wrote:
>>
>> GET really doesn't have anything to do with it.  The attacker can
>> issue POST requests (and really any other method) too.  Note that the
>> attacker can read the response and follow any links, etc.
>
> Recall that we were examining the GET hypothesis under the assumption that
> POSTs were already protected by secret tokens against XSRFs.

Right, but once the attacker has XSSed site A, the attacker learns the
secret token necessary to issue the next request in the chain to site
A regardless of the method.

Adam

Received on Sunday, 7 June 2009 23:30:51 UTC