cxf-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Glen Mazza <>
Subject Re: XSS flaw in Available SOAP services page
Date Thu, 24 Feb 2011 17:46:59 GMT
But giving somebody a fraudulent link is not cross-site scripting, and 
browser certificate checks would catch that anyway.

Only the service provider has control over the contents of the page, Bad Guy has no 
opportunities to enter in data that could alter that page, so I don't 
see where the XSS concern is.


On 2/24/2011 12:20 PM, Rhenius, Karl Stefan wrote:
>> But how could Bad Guy inject that on the Available SOAP
>> services page?
>> AFAIK cross-site scripting is only a problem when you allow
>> user entry
>> of fields that are reproduced as-is on HTML pages.
> He can give you a link that misuses a trustworthy domain to show his
> content
> Karl

View raw message