tag:blogger.com,1999:blog-7122745763234660283.post8349355000742867336..comments2011-11-28T23:17:07.245-08:00Minded Securityhttp://www.blogger.com/profile/01503616812076743415noreply@blogger.comBlogger7125tag:blogger.com,1999:blog-7122745763234660283.post-45960029519945108912011-11-23T22:36:25.389-08:002011-11-23T22:36:25.389-08:00Cool. nice post.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-7122745763234660283.post-20914749190189861402011-02-03T06:23:53.660-08:002011-02-03T06:23:53.660-08:00good oneAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-7122745763234660283.post-3243418989559453012010-04-21T02:00:53.485-07:002010-04-21T02:00:53.485-07:00@Satyajit<br />It&#39;s up to you, I just tested it when I was researching HPP.<br /><br />@all<br />The Yahoo! Classic Mail HPP has been fixed by Yahoo.Minded Securityhttp://www.blogger.com/profile/01503616812076743415noreply@blogger.comtag:blogger.com,1999:blog-7122745763234660283.post-22159721787624054462009-08-12T23:38:40.850-07:002009-08-12T23:38:40.850-07:00Any other site, where we could test itSatyajit Dashttp://www.blogger.com/profile/08712147633806825801noreply@blogger.comtag:blogger.com,1999:blog-7122745763234660283.post-57875426575242854932009-08-04T00:27:27.988-07:002009-08-04T00:27:27.988-07:00As you can read in the blog post:<br />&quot;<br />Please note that every action has anti CSRF measures so it&#39;s not possible to perform those ones from an external evil page.<br />&quot;<br /><br />So, no, Client side HPP isn&#39;t classified as CSRF because it could be used to bypass anti CSRF tokens, the same way I did on Yahoo! Mail.Stefano Di Paolahttp://www.blogger.com/profile/18241677936736054546noreply@blogger.comtag:blogger.com,1999:blog-7122745763234660283.post-84702355372302955612009-08-03T15:25:17.873-07:002009-08-03T15:25:17.873-07:00If the action a result of a GET request why isn&#39;t this classified as CSRF? Since you could embed <br /><br />&lt; img src=&#39;http://yahoo.com?par=val&amp;action=delete&#39; / &gt; and have the request made on behalf of the userAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-7122745763234660283.post-45322038293462480552009-05-21T09:10:27.565-07:002009-05-21T09:10:27.565-07:00Great work here! The PoC videos make it very clear that there is an issue, but not how it ties in to HPP. However, the blog post itself covers all those details nicely. Well done!thornmakerhttp://p42.usnoreply@blogger.com