[ OWASP - Montreal ] [ OWASP - Montréal ]XSFR/CSFR testing difficulty level

Sean Coates sean at caedmon.net
Fri Nov 28 13:39:53 EST 2008

> I know, but some very important actions  (like delete) should always  
> ask for a confirmation.  Because with JS, you can still get the  
> normal form within a iframe, and get the token, then do the attack.
> And now, with clickjacking, you still can bypass the confirmation.

Sorry, I still don't get it.
If the attacker is able to get the token via a browser bug (or cross  
site scripting) that allows remote, trusted, data analysis ("get the  
token"), then what's keeping them from using the same mechanism to  
click the "I confirm" button?


More information about the Owasp-montreal mailing list