[wp-hackers] Any other way to do it? (or,
do we really need Nonces?)
Elliotte Harold
elharo at metalab.unc.edu
Sat Mar 3 14:55:05 GMT 2007
Martin Fitzpatrick wrote:
> Automatic POSTing can be done automagically on any webpage using
> Javascript. If you're currently logged into that remote URL your
> browser (may) submit your cookies for it along with the data. A form
> to do that can be hidden / in a frame. You could even be presented
> with a "Submit" button that looks as though it's part of another form.
> Everyone can be tricked.
>
I don't believe this. I've found specific claims to the contrary.
I don't disbelieve it either. Often such claims miss things.
However I would lie to see a specific proof of concept of a JavaScript
that submits a POST to a 3rd party site with authentication cookies intact.
--
Elliotte Rusty Harold elharo at metalab.unc.edu
Java I/O 2nd Edition Just Published!
http://www.cafeaulait.org/books/javaio2/
http://www.amazon.com/exec/obidos/ISBN=0596527500/ref=nosim/cafeaulaitA/
More information about the wp-hackers
mailing list