#45: Don't use gensym for actions to avoid XSS attacks -----------------------+---------------------------------------------------- Reporter: anonymous | Owner: sakhmechet Type: defect | Status: new Priority: critical | Milestone: Component: weblocks | Version: Keywords: security | -----------------------+---------------------------------------------------- gensym-based action urls can be guessed and thus the following attack is possible:
A user has his weblock-based bank system open. In gmail, the user gets a link to a web-page that will generate lots of guessed action urls that transfers funds out of the users bank account.
Ways to fix:
1. Require session id in URLs[[BR]] 2. Or, generate stronger non-gensym based action ids