Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Apache Extended Server Side Includes? Haven't seen XSSI before. What's the I?

I agree, this is not the attack I think of when somebody mentions CSRF. Well, the solution at least isn't. I would be very suspicious of anyone who claimed to solve their CSRF holes by not using arrays.



Cross Site Script Inclusion. The article touches on a lot of things (including CSRF), but the HN title refers specifically to JSON (As well as the link's '#' fragment identifier), and therefore the last section, where it shows an attack site including unprotected JSON through the <script> tag, and unless I'm seriously mistaken, this is the definition of XSSI.


Yes, this is XSSI and the exploit comes in because a JSON array is essentially treated as "executable" code in some JS implementations.

Here are a couple of resources that go a litle more into XSSI:

Google tech talk: http://www.youtube.com/watch?v=jC6Q1uCnbMo&feature=playe...

Gruyere codelab: http://google-gruyere.appspot.com/part3#3__cross_site_script...




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: