RE: [Full-Disclosure] Re: New Web Vulnerability - Cross-Site Tracing

"Richard M. Smith" <rms@computerbytesman.com> asked:

>Do you know of any cases of cross-site scripting being used in the

I have observed unsuccessful cross-site scripting attacks on custom programs of a particular web server, but they are rarely performed.

>I looked around last fall some and couldn't find any examples being

I remember, though many enterprises are quite hush-hush about the details of security incidents. Maybe CERT/CC has incident data that it could summarize?

>XSS errors are real easy to make, so it is not surprising they are the

Agreed. Unlike bugs like buffer overflows, format strings, SQL injection, and directory traversal, nearly every single input is suspect, resulting in more attack vectors. Think of how many inputs are echoed back to a web page, for example, versus how many inputs are used to construct filenames, or format log messages. Also, "XSS cleansing" can be difficult if certain inputs need to be fairly free-form. XSS issues can be easy to find, which is probably also a factor, though it also demonstrates the lack of adequate testing on the part of the developer.

• Steve

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek