Results 1 to 5 of 5

Thread: Cross-site Scripting Vulnerability

  1. November 8th, 2003, 02:31 PM #1
    Hunt_guy
    Hunt_guy is offline
    Junior Member
    Join Date
    May 2002
    Posts
    17

    Cross-site Scripting Vulnerability

    What The Hek is This Vulneability Abt.
    Reply With Quote Reply With Quote
  2. November 8th, 2003, 04:18 PM #2
    el-half
    el-half is offline
    Senior Member
    Join Date
    Jun 2003
    Posts
    772
    http://www.cgisecurity.com/articles/xss-faq.shtml
    The above sentences are produced by the propaganda and indoctrination of people manipulating my mind since 1987, hence, I cannot be held responsible for this post\'s content - me

    www.elhalf.com
    Reply With Quote Reply With Quote
  3. November 8th, 2003, 04:58 PM #3
    j3r
    j3r is offline
    Senior Member
    Join Date
    Jul 2003
    Posts
    114
    The article that el-half posted is an excellent introduction to XSS, and you should read it. It's not the whole story, though. First of all, their countermeasures section is a little skimpy. For instance, they fail to mention that most scripting languages have commands to clean up input so that you can't have any html junk from users. For instance, in PHP, the function is called htmlspecialchars(). In ASP, it's server.htmlencod().

    The article also fails to even touch on HTML injection, which is related. In many web applications — usually crappy bulletin board systems — you can inject HTML into the database, such that you can rewrite the web page that other users see. Attackers have used this in the past to tweak the noses of corporations by making their web sites say bad things about them. A more sinister possibility is to inject HTML to download a browser exploit, so that, for instance, anyone visiting a particular site using Win IE finds that the attacker now 0wn3z their computer. Fortunately, HTML injection is pretty easy to avoid, it's just a matter of calling the same functions you would use to prevent XSS.

    Finally, I cannot say enough good things about the Open Web Applications Security Project Guide. It contains loads of clear information about writing secure web applications, including info on XSS.
    Reply With Quote Reply With Quote
  4. November 8th, 2003, 05:30 PM #4
    Sm0kinP0t
    Sm0kinP0t is offline
    Senior Member
    Join Date
    Jul 2003
    Posts
    114
    Cross Site Scripting is a vulnerability used to insert code into places it shouldn't be (+/-)...

    As you can imagine this is used in the wrong way by the wrong ppl.
    A common example is the creation of a falsebank website and then XSS the login part to mail the hacker your data. This as happened before. It can also be used to steal cookies and other stuff.

    If you want to learn more i suggest you read this. On info on how to avoid these kind of attacks, check this out.


    Note: if you use hotmail/yahoo and some other popular email providers i suggest u check them for this vul. Those i mentioned were vulnerable last year, but they have probably done something about it by now.
    http://makakos.home.sapo.pt/sig1.gif
    http://makakos.home.sapo.pt/sig2.gif
    Reply With Quote Reply With Quote
  5. November 8th, 2003, 05:55 PM #5
    spools.exe
    spools.exe is offline
    Senior Member
    Join Date
    Sep 2003
    Posts
    279
    From what i understand a simple javascript can be placed in the page that will display cookie. JAVASCRIPT ALERT - "document.cookie"

    You just make a a java alert and place "document.cookie" as the body.
    AntiOnline Quick Forum Version 2b Click Here
    10010101000000110010001100111
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules