On Oct 6, 2006, at 1:04 PM, suppressed wrote:
1) Joe Bloggs logs into my website and has an active session.2) Clicks on a link (either from an email or from content posted on mysite) to http://www.malicious-site.com/index.html 3) That index page contains an <img src="/logo.gif" /> tag 3) Instead of serving the image, the server at www.malicious-site.com issues a 302 HTTP Status code which redirects Joe Bloggs to http://my.website.com/change_password?new_password=abcde
can't a lot of this be locked down with http referrers ?i know they can be spoofed - but thats a manual action. i've yet to hear of a browser than can spoof headers via javascript. you'd have to compromise the browser, not insert malicious JS or images into a page.
Mail converted by mhonarc 2.6.15
This archive provided courtesy of JSW4.NET, Internet Hosting Services for Small Business.