Could you clarify what actually can be done by this? From what I can see, you ca... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		antihero on Aug 6, 2013 \| parent \| context \| favorite \| on: Security advisory: Breach and Django Could you clarify what actually can be done by this? From what I can see, you can't do XSS because it's escaped. I guess there's the chance that you could do CSRF because you've essentially "set" their CSRF token?

homakov on Aug 6, 2013 [–]

XSS? unrelated here I think.

Exactly, cookie forcing/tossing = "set" their CSRF token

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact