Web Application Security
Back to list
*Note: Email address will appear as "user domain ext" to prevent harvesting.
Re: IE11 is not following CORS specification for local files
Oct 07 2016 08:09PM
Ricardo Iramar dos Santos (riramar gmail com)
Same attack using XSS as vector.
Imagine that https://xss-doc.appspot.com is a site about gift cards.
The XSS payload below will create a giftcard.htm file in the default
If the victim open the file a GET to
https://mail.google.com/mail/u/0/#inbox will be submitted.
After the GET th...
[ more ]
Copyright 2010, SecurityFocus