Cross-Site Tracing (XST) security vulnerability
|
Log in/Create an Account
| Top
| 13 comments
|
Search Discussion
|
|
The Fine Print:
The following comments are owned by whoever posted them.
We are not responsible for them in any way.
|
|
|
|
|
|
|
|
|
If I understand how it works correctly, it goes a bit like this:
I connect to malicious web server (or hacked friendly one) That web server sends me some javascript That javascript sends a TRACE request to some site it knows I use The TRACE request bounces back my cookies/credentials The javascript thus has access to those credentials that it didn't know how to get at before The malicious web server can then re-use these credentials in other attacks
It's an interesting attack vector. I like it. One more reason not to allow remote web servers to run code on your machine (be it ActiveX or Javascript). Not that I'll be turning off Javascript any time soon though - the web is often just too hard to use without it. *sigh*.
|
|
|
|
|
[ Reply to This
]
|
|
Re:Hmm...
by cbrooks
(Score:1)
2003.01.23 14:38Re:Hmm...
by Matts
(Score:2)
2003.01.23 14:49Re:Hmm...
by cbrooks
(Score:1)
2003.01.23 21:06Re:Hmm...
by Matts
(Score:2)
2003.01.24 3:10Re:Hmm...
by cbrooks
(Score:1)
2003.01.24 8:39Re:Hmm...
by Matts
(Score:2)
2003.01.24 11:05Re:Hmm...
by cbrooks
(Score:1)
2003.01.24 12:26Re:Hmm...
by Matts
(Score:2)
2003.01.24 16:21Re:Hmm...
by cbrooks
(Score:1)
2003.01.27 10:43Re:Hmm...
by Matts
(Score:2)
2003.01.27 11:48Re:Hmm...
by cbrooks
(Score:1)
2003.01.27 13:31Re:Hmm...
by Matts
(Score:2)
2003.01.27 15:40 |