Code: Select all
Site .mortgagequestions.com
Accept from .mortgagequestions.com .mortgagequestions.com .mortgagequestions.com
Anon GET
Deny
problem with cross site scripting
Re: problem with cross site scripting
This shouldn't make any difference, but try:
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.
True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.
True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:27.0) Gecko/20100101 Firefox/27.0
Re: problem with cross site scripting
Thrawn,
I was possibly editing my last post, now on page 1, when you posted. I saw another url in the log and tried something else but it didn't work.
What will entering the url 3 times do?
planet222
I was possibly editing my last post, now on page 1, when you posted. I saw another url in the log and tried something else but it didn't work.
What will entering the url 3 times do?
planet222
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0
Re: problem with cross site scripting
Oh, the key part of the message got lost in your previous post. You need this rule
Code: Select all
Site .mortgagequestions.com
Accept from .mortgagequestions.com ^https://(?:[^/:]+\.)?keybankmortgage\.com[^0-9A-Za-z_\.%-]
Anon GET
Deny*Always* check the changelogs BEFORE updating that important software!
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:27.0) Gecko/20100101 Firefox/27.0 SeaMonkey/2.24
Re: problem with cross site scripting
barbaz,
That seemed to do the trick. Thank you.
Now what exactly does this code in ABE protect me from?
regards,planet222
That seemed to do the trick. Thank you.
Now what exactly does this code in ABE protect me from?
regards,planet222
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0
Re: problem with cross site scripting
All cross-site requests. So, it won't be possible for someone to set up a trap site that will XSS the mortgage site when you visit the trap. CSRF will be blocked too.
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.
True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.
True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:27.0) Gecko/20100101 Firefox/27.0
Re: problem with cross site scripting
Thank you both for your assistance. I feel much more secure now. Just so I understand the sequence of this occurrance. When I visited the site and noscript flagged the XSS and wouldn't allow me to log in, no script was identifying the XSS vulnerability in the site's code (correct?). Then, in order to access the site, I needed to create the exemption on the XSS exemption tab. Finally, in order to secure my browser against attack, I needed the codes in ABE.
Now, if someone set up a trap, would the site still function for my firefox browser but noscript sandbox my interaction from harm?
Now, if someone set up a trap, would the site still function for my firefox browser but noscript sandbox my interaction from harm?
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Re: problem with cross site scripting
Yes.planet222 wrote:When I visited the site and noscript flagged the XSS and wouldn't allow me to log in, no script was identifying the XSS vulnerability in the site's code (correct?). Then, in order to access the site, I needed to create the exemption on the XSS exemption tab. Finally, in order to secure my browser against attack, I needed the codes in ABE.
Pretty much, yes. The mortgagequestions site can keep sending requests to itself, no problems, but other sites are forbidden to do so.Now, if someone set up a trap, would the site still function for my firefox browser but noscript sandbox my interaction from harm?
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.
True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.
True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0