[Owasp-board] SpoC 007 payments

Jeff Williams jeff.williams at owasp.org
Wed Jul 11 01:47:20 UTC 2007

Unfortunately, I don't see how this can stop either CSRF or XSS.  This is an
authentication and integrity solution.


 For it to work, the plugin must sign requests generated by IMG and IFRAME
tags - so they would be accepted by the server as properly signed requests
even if they came from malicious tags. Therefore CSRF is unaffected.  As for
XSS, the plugin doesn't restrict any posting, just signs it. So an XSS
attack would work just fine. Note that even XHR generated requests would
have to be signed in order for Ajax-based sites to work, so XSS payloads
should work fine.




From: owasp-board-bounces at lists.owasp.org
[mailto:owasp-board-bounces at lists.owasp.org] On Behalf Of Dave Wichers
Sent: Tuesday, July 10, 2007 8:50 PM
To: 'Dinis Cruz'; 'OWASP Board'
Cc: 'Paulo Coimbra'
Subject: Re: [Owasp-board] SpoC 007 payments


Ask Paulo to collect the paypal addresses for each SpoC participant and the
person's e-mail address and country they work in and send that all to me. I
then have to directly collect additional information from anyone who is in
the U.S.




p.s. By the way? Would this feature prevent CSRF attacks? What about XSS?



From: owasp-board-bounces at lists.owasp.org
[mailto:owasp-board-bounces at lists.owasp.org] On Behalf Of Dinis Cruz
Sent: Friday, July 06, 2007 6:09 AM
To: OWASP Board
Cc: Paulo Coimbra
Subject: [Owasp-board] SpoC 007 payments



What is your preferred workflow for the SpoC payments. 

Paulo Coimbra is now on the case, so let him know what should be done, how
and when.

To test this system, lets try with the 1st 50% payment for the guy working
on the EnigForm:

Dinis Cruz
Chief OWASP Evangelist

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20070710/22ee39bb/attachment-0002.html>

More information about the Owasp-board mailing list