When protected resources have form fill policy enabled and NAM get a
login form from app server, does NAM fill in the form and submit it to
the app server or does NAM fill in the form and return the form to the

Our internal audit performed a XSS scan and found that by injecting some
script, they were able to get the login user's id/password, this lead me
to suspect that NAM might have sent the filled in login form to the
browser, that made the id/password available for the injected script to
access. We are working our application to prevent the XSS issue. I'm
just curious about how NAM does the form fill.


mxu1386's Profile: https://forums.netiq.com/member.php?userid=1361
View this thread: https://forums.netiq.com/showthread.php?t=49579