[Twisted-web] Preventing XSS when using Nevow's vhost functionality

David Reid dreid at dreid.org
Thu Oct 20 13:39:37 MDT 2005


Attached is a proof of concept which points out the highly specific  
configuration (erroneous configuration) that would cause such an  
attack to work.

As you'll see http://localhost:8080/vhost/http/goody.com/vhost/http/ 
evil.net/ actually serves the EvilPage instance.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: vhost-vuln.tac
Type: application/octet-stream
Size: 1529 bytes
Desc: not available
Url : http://twistedmatrix.com/pipermail/twisted-web/attachments/20051020/471ca419/vhost-vuln.obj


More information about the Twisted-web mailing list