Vulnerability Development: Re: Sourceforge.net XSS

["Daniel" <clearscreen () lycantrope com>]

Hehehe think about the possibilities when you have the power to inject any 
html/javascript you like in a webpage. Just take the google xss example from 
that one site. A simple javascript source file was injected and it would 
send back all the searched data to the hacker. Think about what you can use 
that for, creditcard/paypal phishing? Stealing secure information? Ripping 
cookie(document.cookie!!!)contents? I guess you yourself could think of more 
examples yourself. You basicly set the point, people see XSS holes as pretty 
harmless 'bugs' in their code but they should really be seen as high-risk 
vulnerabilities.
----- Original Message ----- 
From: <v9 () fakehalo us>
To: <vuln-dev () securityfocus com>
Sent: Wednesday, April 12, 2006 10:29 PM
Subject: Re: Sourceforge.net XSS


> Is it me, or do these XSS vulnerabilies not really count? I don't see a 
> way this can be abused other than to yourself.  In my book a XSS 
> vulnerability must be stored on the server and displayed for others to 
> view, otherwise whats the point? If i'm not getting the big picture, 
> someone inform me...I don't mean to flame on you specifically, but I have 
> seen alot of these "XSS in the URL" dealios lately.