Hosting Provided By

Re: XSS

From: zeno <bugtraq(at)cgisecurity.net>
Date: Tue Dec 10 2002 - 13:35:38 EST

If your website uses cookies they can be stolen. If these cookies are used in user auth (like webmail, wwwboard, voting polls, etc) this poses an obvious problem.

Rather then *assume* you'll never have any tools like this on your company website and allow the problem to be forgotten about it would be better to address it now for the following reasons.

If someone finds this hole they may publish it to a mailing list or news site. From here your company will get negative publicity and possibly loose clients. Even if this hole/bug is *useless* people will see *potential security hole* and question the trust of your company.
Most people won't know what xss is, and most won't bother investigating it. They will only see *security problem* and decide to use your company based on this. Most also won't want to have to read a lengthly paper, or deal with tech support to figure out what this means.
Assuming this bug gets known to the public will the cost of fixing it be more or less then you loosing say 2 percent of your clients due to trust issues?

Just some thoughts

zeno@cgisecurity.com

>
> Any ideas ?
Received on Tue Dec 10 13:51:10 2002

This message: [ Message body ]
Next message: David Endler: "RE: XSS"
Maybe in reply to: John Madden: "XSS"
In reply to John Madden: "Re: XSS"
Next in thread: Brett Moore: "RE: XSS"
Reply: Brett Moore: "RE: XSS"
Reply: zeno: "Re: XSS"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:07:46 EDT