Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Vulnerability Development: Re: Sourceforge.net XSS

Re: Sourceforge.net XSS

From: morgan allen <morganrallen_at_sbcglobal.net>
Date: Mon, 17 Apr 2006 17:08:58 -0700 (PDT)

I was always under the impression that the samy worm
style was not XSS at all, but HTML injection. Could be
wrong. But it makes sense to me not to call both of
the XSS, as they are quite different.

--- v9 <v9_at_fakehalo.us> wrote:

> alright. folks, enough with the unrelated XSS
> stories, for the last time,
> i'm simply saying not all XSS are the same...i am
> talking about XSS that
> doesn't get saved on the server and has to be
> included in the url... i
> don't know how much more clear to make this.
>
> "http://something.com/...?[XSS HERE]" style.
>
> i'm quite aware of samy's myspace worm, good idea,
> however that is
> completely different from what i am and have been
> talking about.
>
> samy's worm was stored on the server and shown to
> all who viewed his
> myspace page. these kind of XSS are in a url you'd
> have to create
> yourself, you wouldn't ever stroll across this, as
> you have to make it in
> the url to work.
>
> so as i said before, encoded/phishing (emails) is
> about the only possible
> use for these that i can see, and not even to a good
> extent(easier
> to just use the usual <A HREF> style misdirection,
> and has more options).
> if someone can tell me otherwise, post a RELATED
> reply. (ie. in-url XSS)
>
>
> On Mon, 17 Apr 2006, Juan C Calderon wrote:
>
> > Hello,
> >
> > I want to share with you this information I got
> from
> > this same list back in April 5th, It is about a
> virus
> > created with an XSS at a myspace website (check
> the
> > list archives).
> >
> > Myspace.com - Intricate Script Injection
> Vulnerability
> > advisory
> > http://www.silent-products.com/advisory4.5.06.txt
> >
> > The myspace hack story
> > http://fast.info/myspace/
> >
> > There are very interesting links at the end of
> this
> > paper relating to XSS viruses and their
> differences
> > with traditional viruses.
> > http://www.bindshell.net/papers/xssv.html
> >
> > hope it is interesting to you, this is just a
> little
> > example of what a XSS can do,
> >
> > Cheers,
> > JC
> >
> > __________________________________________________
> > Correo Yahoo!
> > Espacio para todos tus mensajes, antivirus y
> antispam ¡gratis!
> > Regístrate ya - http://correo.espanol.yahoo.com/
> >
>
Received on Apr 18 2006

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos