Re: XSS

Ed,

Comments inline....

On Wednesday, December 11, 2002, at 03:15 PM, Ed Tracy @ Aspect Security wrote:

>
> John,

If there is no persistent data this is true...keep in mind your application may be safe, but the components on which you host it may be vulnerable.
>
> However, if your site has any content-altering vulnerabilities (would
This is basically what I am trying to describe with persistent XSS.

> Academic detail:

Examples of transaction based cross-site scripting include, area tags, a form on another site, redirects from another site (meta tags, script), html based email, malicious applications, etc... All of the above require user action; clicking on a link, submitting a form, visiting a malicious site. opening an email, executing an application.

Examples of persistent data stores would be databases (e.g. 3 tier web app), files in which data is stored (e.g. webmail), other sites the application receives data from (e.g. newsfeeds), in memory (e.g. web-based chat server), client side data stores (e.g. cookies), etc...All of the above do not require user action, all the user has to do is visit the vulnerable site.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Just a note, but XSS does not always have to be script code....HTML injection may be a better term, but XSS seems to have caught on.

mm

>
> -Ed
>
>> Hi All,
Received on Wed Dec 11 19:45:04 2002