When you create an account, the user and password are sent by GET method. Maybe, would be better send credentials via a POST form to avoid shoulder-surfing.
I had my wp blog hacked a while back with a script it was nasty. So this looks pretty interesting. I'm surprised it wasn't Jaiku :) I wonder why Google did work that site like they should of. Well anyway Google does many things I don't understand :) Thanks for the op to learn appreciate it
I think the lab skipped over bookmarklet attacks. You don't even need to create the link. The home page field could be set to javascript:alert("a"). When I first played around with the web app, I wasn't sure what the home page was (before I configured my account), and I clicked on the only two there.
Also, by having the user expect a link, you can easily make up a phishing scheme (you could use a javascript redirect to replace the page in web history with your own site, which the pretends to be a warning that you are about to leave the site. then you send the user to some boring site, prompting the user to hit the back button. then, thanks to a cookie or remembering the ip address, your fake page asks the user to log in again.)
6 則留言 :
"it takes a hacker to catch a hacker,"
GREAT!!
Sure this should be titled "Defense against the Dark Arts" at Bugwarts University?
vint
When you create an account, the user and password are sent by GET method.
Maybe, would be better send credentials via a POST form to avoid shoulder-surfing.
I had my wp blog hacked a while back with a script it was nasty. So this looks pretty interesting. I'm surprised it wasn't Jaiku :) I wonder why Google did work that site like they should of. Well anyway Google does many things I don't understand :) Thanks for the op to learn appreciate it
I think the lab skipped over bookmarklet attacks. You don't even need to create the link. The home page field could be set to javascript:alert("a"). When I first played around with the web app, I wasn't sure what the home page was (before I configured my account), and I clicked on the only two there.
Also, by having the user expect a link, you can easily make up a phishing scheme (you could use a javascript redirect to replace the page in web history with your own site, which the pretends to be a warning that you are about to leave the site. then you send the user to some boring site, prompting the user to hit the back button. then, thanks to a cookie or remembering the ip address, your fake page asks the user to log in again.)
There are many people stealing information and pasword.
please keep them away from doing it.
Thanks
張貼留言