“If an HTTPS page contains both an a secret part (like an anti-XSS token) and an attacker-controlled part, that’s possibly enough for the attack to succeed.”
Worth repeating, though I would have called it an CSRF token. This can probably be tuned up to blow open any webmail client for instance. Send a GET to the composition page with “&subject=abcdef”. Then increment. Once you have their token, spam away…
This attack won’t even require TLS compression. Regular HTTP compression is enough, since the token and the attacker supplied value both live in the body.
“If an HTTPS page contains both an a secret part (like an anti-XSS token) and an attacker-controlled part, that’s possibly enough for the attack to succeed.”
Worth repeating, though I would have called it an CSRF token. This can probably be tuned up to blow open any webmail client for instance. Send a GET to the composition page with “&subject=abcdef”. Then increment. Once you have their token, spam away…
This attack won’t even require TLS compression. Regular HTTP compression is enough, since the token and the attacker supplied value both live in the body.