[ OWASP - Montreal ] [ OWASP - Montréal ]XSFR/CSFR testing difficulty level
sean at caedmon.net
Fri Nov 28 13:39:53 EST 2008
> I know, but some very important actions (like delete) should always
> ask for a confirmation. Because with JS, you can still get the
> normal form within a iframe, and get the token, then do the attack.
> And now, with clickjacking, you still can bypass the confirmation.
Sorry, I still don't get it.
If the attacker is able to get the token via a browser bug (or cross
site scripting) that allows remote, trusted, data analysis ("get the
token"), then what's keeping them from using the same mechanism to
click the "I confirm" button?
More information about the Owasp-montreal