[WEB SECURITY] RE: XSS-Phishing on Financial Sites (Tip of the iceberg)

Gervase Markham gerv at gerv.net
Mon Jun 26 13:25:07 EDT 2006


Brian Eaton wrote:
> The other use case is for sites that are just plain broken, where end
> users are not supposed to be able to publish any HTML tags.  Site keys
> and content restrictions are massive overkill for a site like hat.

Well, not necessarily. Imagine if site authoring tools and CMSes
acquired content restrictions support. They could label all pages with
an appropriate header without the author needing to do anything.

> So the proposal I wrote up was trying to be a solution for
> administrators of sites, who think there might be XSS or CSRF
> somewhere, but don't have the time/money/skills/access to find and fix
> all of the places where XSS and CSRF exist on their site.  They could
> design a CSL policy to limit their exposure.

I'm not sure you can legislate against laziness... :-)

Gerv

----------------------------------------------------------------------------
The Web Security Mailing List: 
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]



More information about the websecurity mailing list