[Full-disclosure] [x0n3-h4ck.org] PayPal vulnerable to XSS

Tue Nov 7 02:12:34 GMT 2006

On 06 Nov 06, at 14:37, Thierry Zoller wrote:
>> That's not exploitable.
>
> Is it? Look into Flash 8 "raw" http requests, you can trigger them  
> client side.

Triggering the request is one thing, but does it actually render and  
run in the target domain's context? That's the important bit - and,  
if it actually works that way, that's totally broken.