|
|
|
|
|
|
by bsamuels
4292 days ago
|
|
|
idk why youre getting downvoted because it's a good question and people need to ask more security questions. Any website I can inject malicious javascript into, I can steal your cookies from (assuming the httponly flag isn't set on the cookie). If you were logged into one of these whois sites and they didnt have the httponly flag set on your auth cookie, an attacker could send you to a page on the site that contains malicious javascript that could phone home with your auth cookie, letting the attacker hijack your session. You can defend your own websites from these kinds of attacks by setting up a Content Security Policy and using the 'httponly' flag on auth cookies. http://en.wikipedia.org/wiki/Content_Security_Policy |
|
|