On Fri, 1 Feb 2002, Brian McWilliams wrote:
> At 03:09 PM 1/31/2002, Joe Harrison wrote:
> >I can't help feel the importance of these cross-site-scripting attacks is
> >over-emphasised.
>
> As others have pointed out, CSS bugs can be used to do some pretty
> interesting things.
>
> FYI, the source De Vitry injected into the news site pages is here:
> http://devitry.com/mon
>
More interesting are cases where you can actually inject it into a cookie
that the site uses to make it persist.
Rare perhaps, but it has a good history because Microsoft themself created
a good demo of this exact technique a couple of years back when they first
brought forward the "new age" of CSS (which resulted in the CERT
advisory)... was an exploit that set a msnbc.com cookie that made the news
story on the msnbc.com home page (either that or some other msn news site,
would have to check my notes) be a bogus attacker-specified story, even if
you went back there by entering "http://www.msnbc.com/" directly or closed
and restarted your browser before returning.
There are a lot of issues. Many of them are fairly low risk. But it is
important that people don't get tricked into thinking they are all low
risk, since this is a massive issue. IMHO, one of the biggest ongoing
issues with the deployment of web based applications.
Received on Feb 02 2002
Intro
