[wp-hackers] Any other way to do it? (or, do we really need Nonces?)

Elliotte Harold elharo at metalab.unc.edu
Sat Mar 3 14:55:05 GMT 2007


Martin Fitzpatrick wrote:

> Automatic POSTing can be done automagically on any webpage using
> Javascript.  If you're currently logged into that remote URL your
> browser (may) submit your cookies for it along with the data. A form
> to do that can be hidden / in a frame. You could even be presented
> with a "Submit" button that looks as though it's part of another form.
> Everyone can be tricked.
> 

I don't believe this. I've found specific claims to the contrary.

I don't disbelieve it either. Often such claims miss things.

However I would lie to see a specific proof of concept of a JavaScript 
that submits a POST to a 3rd party site with authentication cookies intact.

-- 
Elliotte Rusty Harold  elharo at metalab.unc.edu
Java I/O 2nd Edition Just Published!
http://www.cafeaulait.org/books/javaio2/
http://www.amazon.com/exec/obidos/ISBN=0596527500/ref=nosim/cafeaulaitA/


More information about the wp-hackers mailing list