|
|
| Applications |
| Mailing Lists |
| Miscellaneous |
| Operating Systems |
| Programming |
Re: XSS
Date: Sun Dec 15 2002 - 17:31:05 EST
XSS/CSS/HTML-Injection - all related beasts, and often difficult for organisations to understand the significance of the threat and likely impact of exploitation. If you're after some advice on what its all about, many of the ways to exploit the vulnetability, and equally important the ways to prevent the attacks... see the detailed paper at:
http://www.technicalinfo.net/papers/CSS.html
Hope its useful to you all.
>>>>>>>>>>>>>>>>
John-
Two things....
First, there are really two types of XSS. Persistent, where the injected code is stored within the web application, such as in distribution lists, databases, etc..., Transaction based, requiring a user to perform an action in order to be affected, such as click on a link, view a page with malicious script in it, etc... Therefore, any site that is accepting any form of user input is potentially vulnerable...though the risk of persistent XSS exceeds the risk of transaction based XSS in most cases.
Second, XSS is not only used to grab a users session ID. An attacker could inject code into the page to redirect the user or modify presentation of content. Imagine an corporate site where you could add/modify a press release or news items, could you impact the companies stock price or lessen consumer confidence? Imagine a pharmaceutical site where you could modify dosage for medication, could you get someone to overdose?
mm
-- Matthew P. Miller www.atstake.com On Tuesday, December 10, 2002, at 11:35 AM, John Madden wrote:Received on Sun Dec 15 19:09:04 2002
> Hi All,
_________________________________________ Webmail provided by Names.co Internet plc http://www.names.co.uk
This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:07:46 EDT
|
Contact Us Legal Notices Order Services Online Pantek Home Privacy Policy IT news Site Map Pantek Library |