[ OWASP - Montreal ] [ OWASP - Montréal ]XSFR/CSFR testing difficulty level

Sean Coates sean at caedmon.net
Fri Nov 28 13:39:53 EST 2008


> I know, but some very important actions  (like delete) should always  
> ask for a confirmation.  Because with JS, you can still get the  
> normal form within a iframe, and get the token, then do the attack.
>
> And now, with clickjacking, you still can bypass the confirmation.

Sorry, I still don't get it.
If the attacker is able to get the token via a browser bug (or cross  
site scripting) that allows remote, trusted, data analysis ("get the  
token"), then what's keeping them from using the same mechanism to  
click the "I confirm" button?

S



More information about the Owasp-montreal mailing list