Comments on Minded Security Blog: Client side Http Parameter Pollution - Yahoo! Clas...

@Satyajit It's up to you, I just tested it when I ...

2010-04-21T02:00:53.485-07:00

@Satyajit
It's up to you, I just tested it when I was researching HPP.

@all
The Yahoo! Classic Mail HPP has been fixed by Yahoo.

Any other site, where we could test it

2009-08-12T23:38:40.850-07:00

Any other site, where we could test it

As you can read in the blog post: " Please note th...

2009-08-04T00:27:27.988-07:00

As you can read in the blog post:
"
Please note that every action has anti CSRF measures so it's not possible to perform those ones from an external evil page.
"

So, no, Client side HPP isn't classified as CSRF because it could be used to bypass anti CSRF tokens, the same way I did on Yahoo! Mail.

If the action a result of a GET request why isn't ...

2009-08-03T15:25:17.873-07:00

If the action a result of a GET request why isn't this classified as CSRF? Since you could embed

< img src='http://yahoo.com?par=val&action=delete' / > and have the request made on behalf of the user

Great work here! The PoC videos make it very clea...

2009-05-21T09:10:27.565-07:00

Great work here! The PoC videos make it very clear that there is an issue, but not how it ties in to HPP. However, the blog post itself covers all those details nicely. Well done!