This attack seems pretty harmless (I'd rather not discuss ethical concerns), but it demonstrates something very powerful - a combination of XSS and CSRF. If your site has XSS vulnerabilities, they can be used to launch much more effective CSRF attacks. Rather than only a small percentage of people being affected, everyone is, because the attacker is guaranteed that all victims have an established relationship with the target site, yours.
(Via Planet PHP.)
Thursday, October 13, 2005
Myspace CSRF and XSS Hack - Chris Shiflett:
Mozilla and hypocrisy
Right, but what about the experiences that Mozilla chooses to default for users like switching to Yahoo and making that the default upon ...
-
via VMware blog
-
AJAX: redesign your PHP applications? - ThinkPHP /dev/blog : "First of all, XMLHttpRequest has a problem: in InternetExplorer, it doesn...