About this blog

I'm a developer with over 10 years experience who wants to transition to infosec. This blog is an informal record of my experiments with OWASP's Mutillidae II, a web application exhibiting a multitude of deliberate vulnerabilities. I will also take Offensive Security's PWK training course and get the OSCP certificate

Wednesday, 31 August 2016

Client controls more than just params

The client controls all the headers (including cookies) too.  So if they are displayed anywhere without being escaped, the page is vulnerable to content injection.



The DOM is also controlled by the client too, so anything in that can be manipulated with injections.
Posted by at
Labels: , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)