|
Vulnerability Development
mailing list archives
Re: CSS implication
From: "b0iler _" <b0iler () hotmail com>
Date: Tue, 19 Mar 2002 14:45:31 -0700
Although very simular to XSS writting SSI, PHP, or any other kind of server
side language is not XSS, but rather a remote file writting vulnerability.
The difference is there and I don't feel we should confuse the two. I am
not sure if you would call client side scriptting that is saved to a file on
the server XSS, but I personally do not count it as such.
Here is a few other things for your paper.
you can redirect the user to a url or submit form data. very dangerous if
the user is allowed to do things like change their password when they are
logged in without having to supply their password. session theft.
read field data or html. can be dangerous if a users password, credit card
number, real name, or other sensitive information is printted to the same
page(s) the XSS has access to.
you can change the html of a page. dangerous for example if the user is
supposed to input their username and password, you can change where the form
is sent, making it instead a logging script set up on your server.
Matt Priestley mentioned session theft. Which was what most of these have
have to deal with, also you can grab the current url. Which can sometimes
hold sensitive info - usernames, passwords, session ids, etc.
_________________________________________________________________
Chat with friends online, try MSN Messenger: http://messenger.msn.com
 By Date 
By Thread
Current thread:
- Re: CSS implication, (continued)
RE: CSS implication Matt Priestley (Mar 17)
Re: CSS implication b0iler _ (Mar 20)
|
Intro
