[bigiain]

I don't know if it's what Troy was implying, but JSON as a cookie payload along with the seemingly ubiquitous "parsing JSON using YAML and the YAML parser executing it as arbitrary code" vulnerability seems like it'd at least be worth attempting to attack there.

(Probably not what Troy was thinking, since that'd result in server-side SQLi or arbitrary code execution problems, not client-side ones like XSS. Also, I thnik Troy is more a .Net/asp kind of guy, not a Ruby-ist - which might make that YAML parser issue in Ruby/Rails not something he's concerned about)