cxf-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Glen Mazza <gma...@talend.com>
Subject Re: XSS flaw in Available SOAP services page
Date Thu, 24 Feb 2011 17:46:59 GMT
But giving somebody a fraudulent link is not cross-site scripting, and 
browser certificate checks would catch that anyway.

Only the service provider has control over the contents of the 
https://www.mybank.com/services/BankingService?wsdl page, Bad Guy has no 
opportunities to enter in data that could alter that page, so I don't 
see where the XSS concern is.

Glen

On 2/24/2011 12:20 PM, Rhenius, Karl Stefan wrote:
>> But how could Bad Guy inject that on the Available SOAP
>> services page?
>> AFAIK cross-site scripting is only a problem when you allow
>> user entry
>> of fields that are reproduced as-is on HTML pages.
> He can give you a link that misuses a trustworthy domain to show his
> content
>
> Karl



Mime
View raw message