Guess what, there are no enforceable rules about what a client (i.e. browser) can or cannot do. If a session is hijackable, relying on the inability to run javascript is useless. The key is whether session IDs are random or not as you alluded to. There is indeed a random section in my sessionID, just not the entire thing.
I appreciate your suggestions, but you might want to be carefull how high you get on that horse assuming others have no clue what they're doing.
Your statements such as Under no circumstance should your site allow javascript to run and it is just likely to exist considering the possibility of running arbitrary javascript with zero effort have no basis in facts, they are merely attempts to allude to your incredible hacking skills.;)
As I mentioned previously, I appreciate feedback, but please do not portray your suspicions about my site as facts.
Interesting site, but not the same idea. Splinky, as well as titletrader involve mailing things to other people, analagous to netflix. Both neat ideas if that's what you want.
dvdtrader.us is about trading DVDs locally, more like a classifieds or even a video rental store. There is no mailing involved, and therefore no fees or trust issues! dvdtrader sets up the exchange (including who is willing to travel) and the exchange is done in person.
I know that the MPAA and RIAA have blurred the waters so much that people think that everything they do is illegal, but trading your own DVDs for someone else's DVDs is still legal in most countries, even the USA.;)
This is not fileswapping, but real physical disc exchanges.
While I appreciate your suggestions, I fail to see how this proves anything except that a user could trick themselves into going to another site. All you did is show that a user could put javascript into their own html document, this hardly constitutes SQL injection. I am always open to learning more though...
... and webserver security
You take a big leap from you example to assuming that my webserver is inherently insecure.
I would gladly discuss this more either openly or in private, especially if my site has a true vulnerability. I take such suggestions seriously. You can contact me at [fick at fgm.com], or reply to this post.
I am looking for alpha testers for a new DVD trading site (http://www.dvdtrader.us/) which I hope to establish similar social coperation. It's meant to help people setup trades for used DVDs with people in their local communities. It's still in development, but I am a stronger believer in the "release early and release often" mantra, so have at it.:)
Slashdot Mirror
Guess what, there are no enforceable rules about what a client (i.e. browser) can or cannot do. If a session is hijackable, relying on the inability to run javascript is useless. The key is whether session IDs are random or not as you alluded to. There is indeed a random section in my sessionID, just not the entire thing.
;)
I appreciate your suggestions, but you might want to be carefull how high you get on that horse assuming others have no clue what they're doing.
Your statements such as Under no circumstance should your site allow javascript to run and it is just likely to exist considering the possibility of running arbitrary javascript with zero effort have no basis in facts, they are merely attempts to allude to your incredible hacking skills.
As I mentioned previously, I appreciate feedback, but please do not portray your suspicions about my site as facts.
Interesting site, but not the same idea. Splinky, as well as titletrader involve mailing things to other people, analagous to netflix. Both neat ideas if that's what you want.
dvdtrader.us is about trading DVDs locally, more like a classifieds or even a video rental store. There is no mailing involved, and therefore no fees or trust issues! dvdtrader sets up the exchange (including who is willing to travel) and the exchange is done in person.
Hardly...
;)
I know that the MPAA and RIAA have blurred the waters so much that people think that everything they do is illegal, but trading your own DVDs for someone else's DVDs is still legal in most countries, even the USA.
This is not fileswapping, but real physical disc exchanges.
Please learn more about cross-site scripting...
... and webserver security
While I appreciate your suggestions, I fail to see how this proves anything except that a user could trick themselves into going to another site. All you did is show that a user could put javascript into their own html document, this hardly constitutes SQL injection. I am always open to learning more though...
You take a big leap from you example to assuming that my webserver is inherently insecure.
I would gladly discuss this more either openly or in private, especially if my site has a true vulnerability. I take such suggestions seriously. You can contact me at [fick at fgm.com], or reply to this post.
I am looking for alpha testers for a new DVD trading site (http://www.dvdtrader.us/) which I hope to establish similar social coperation. It's meant to help people setup trades for used DVDs with people in their local communities. It's still in development, but I am a stronger believer in the "release early and release often" mantra, so have at it. :)
Now what they really need to do is port yahoo chess to it :) Certainly would beat any portable chess game.