undefined | Better HN

0 pointsSahAssar8y ago0 comments

The vulun is in the fact that the program blindly trusts incoming HTTP based only on a nonce being in both the body and a header.

0 comments

benchaney8y ago

No, the "vuln" is assuming that only users on the machine can access localhost. This is a completely reasonable assumption, and it is on the browsers for invalidating it.

j / k navigate · click thread line to collapse

0 pointsSahAssar8y ago0 comments

The vulun is in the fact that the program blindly trusts incoming HTTP based only on a nonce being in both the body and a header.

0 comments

benchaney8y ago

No, the "vuln" is assuming that only users on the machine can access localhost. This is a completely reasonable assumption, and it is on the browsers for invalidating it.

j / k navigate · click thread line to collapse