|
|
|
|
|
|
by 7sidedmarble
938 days ago
|
|
|
> If you can inject javascript, it's game over anyway. Yeah, but as you pointed out the one thing you can't do is get the cookie. Having the auth token yourself as the attacker is a way different story then just having XSS vulnerabilities. You can still "do" a lot, but you still have to get another user with the token you want to interact with the page with your XSS to "do" what you want. |
|
|
You need to do this in both cases.