tag:blogger.com,1999:blog-7122745763234660283.post8349355000742867336..comments2024-02-18T02:36:33.709-08:00Comments on IMQ Minded Security Blog: Client side Http Parameter Pollution - Yahoo! Classic Mail Video PocMinded Securityhttp://www.blogger.com/profile/01503616812076743415noreply@blogger.comBlogger7125tag:blogger.com,1999:blog-7122745763234660283.post-45960029519945108912011-11-23T22:36:25.389-08:002011-11-23T22:36:25.389-08:00Cool. nice post.Cool. nice post.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-7122745763234660283.post-20914749190189861402011-02-03T06:23:53.660-08:002011-02-03T06:23:53.660-08:00good onegood oneAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-7122745763234660283.post-3243418989559453012010-04-21T02:00:53.485-07:002010-04-21T02:00:53.485-07:00@Satyajit
It's up to you, I just tested it whe...@Satyajit<br />It's up to you, I just tested it when I was researching HPP.<br /><br />@all<br />The Yahoo! Classic Mail HPP has been fixed by Yahoo.Minded Securityhttps://www.blogger.com/profile/01503616812076743415noreply@blogger.comtag:blogger.com,1999:blog-7122745763234660283.post-22159721787624054462009-08-12T23:38:40.850-07:002009-08-12T23:38:40.850-07:00Any other site, where we could test itAny other site, where we could test itSatyajit Dashttps://www.blogger.com/profile/08712147633806825801noreply@blogger.comtag:blogger.com,1999:blog-7122745763234660283.post-57875426575242854932009-08-04T00:27:27.988-07:002009-08-04T00:27:27.988-07:00As you can read in the blog post:
"
Please no...As you can read in the blog post:<br />"<br />Please note that every action has anti CSRF measures so it's not possible to perform those ones from an external evil page.<br />"<br /><br />So, no, Client side HPP isn't classified as CSRF because it could be used to bypass anti CSRF tokens, the same way I did on Yahoo! Mail.Stefano Di Paolahttps://www.blogger.com/profile/18241677936736054546noreply@blogger.comtag:blogger.com,1999:blog-7122745763234660283.post-84702355372302955612009-08-03T15:25:17.873-07:002009-08-03T15:25:17.873-07:00If the action a result of a GET request why isn...If the action a result of a GET request why isn't this classified as CSRF? Since you could embed <br /><br />< img src='http://yahoo.com?par=val&action=delete' / > and have the request made on behalf of the userAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-7122745763234660283.post-45322038293462480552009-05-21T09:10:27.565-07:002009-05-21T09:10:27.565-07:00Great work here! The PoC videos make it very clea...Great work here! The PoC videos make it very clear that there is an issue, but not how it ties in to HPP. However, the blog post itself covers all those details nicely. Well done!thornmakerhttp://p42.usnoreply@blogger.com