Full Disclosure: Re: Metrica Service Assurance Multiple Cross Site Scripting

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Full Disclosure mailing list archives

Re: Metrica Service Assurance Multiple Cross Site Scripting

From: kuza55 <kuza55 () gmail com>
Date: Sun, 9 Nov 2008 12:19:11 +1100

2008/11/9 rholgstad <rholgstad () gmail com>:

post auth xss

*yawn*


I don't quite see your point about it being post auth.
The URLs provided don't seem to have csrf tokens or anything else that
actually requires an attacker to have an account, so all you need to
do is find an authed victim, which is what you would have to do anyway
since attacking unauthed victims is usually pretty pointless (not that
you can't still perform useful attacks, but they're not always
possible or simple).

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

By Date By Thread

Current thread:

Metrica Service Assurance Multiple Cross Site Scripting Francesco Bianchino (Nov 08)
- Re: Metrica Service Assurance Multiple Cross Site Scripting rholgstad (Nov 08)
  - Re: Metrica Service Assurance Multiple Cross Site Scripting kuza55 (Nov 08)