[Twisted-web] Preventing XSS when using Nevow's vhost
functionality
David Reid
dreid at dreid.org
Thu Oct 20 13:39:37 MDT 2005
Attached is a proof of concept which points out the highly specific
configuration (erroneous configuration) that would cause such an
attack to work.
As you'll see http://localhost:8080/vhost/http/goody.com/vhost/http/
evil.net/ actually serves the EvilPage instance.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: vhost-vuln.tac
Type: application/octet-stream
Size: 1529 bytes
Desc: not available
Url : http://twistedmatrix.com/pipermail/twisted-web/attachments/20051020/471ca419/vhost-vuln.obj
More information about the Twisted-web
mailing list