[ OWASP - Montreal ] [ OWASP - Montréal ] XSFR/CSFR testing difficulty level

Philippe Gamache philippe at gamache.com
Mon Dec 1 23:47:17 EST 2008


Benoit Guerette wrote:
> How do you flag this on a pen test report. It is a vulnerability,
> resulting in a denial of service, but with low impact.
>
> Any Cross-site scripting vulnerability mean PCI-DSS failed on a
> report, so for PCI failed.
>
> But other pen test, do you mark it as low, and the business will
> decide if they fixed it or not?
>   
There is way to block any connection using this... Exemple, display an 
image from an other site.  This site will just have to do a rewrite the 
response with an 401 errors, redirecting to your login... 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: philippe.vcf
Type: text/x-vcard
Size: 131 bytes
Desc: not available
Url : https://lists.owasp.org/pipermail/owasp-montreal/attachments/20081201/e7fff5aa/attachment.vcf 


More information about the Owasp-montreal mailing list