|
WebApp Sec
mailing list archives
Re: XSS
From: "HarryM" <harrym () the-group org>
Date: Mon, 16 Dec 2002 06:23:45 -0000
In order for a site to be susceptible to XSS attacks, the site needs to
accept user input and repost that user input. This would allow for the
two ingredients of XSS: 1. Receiving malicious code from an attacker. 2.
Delivering that malicious code to a valid user. Accordingly, the answer
is NO. Your site should be safe from XSS
I haven't been following this thread, so apologies if someone has already
covered this.
Although that's true, strictly speaking, don't let it lull you into a false
sense of security - A site that takes input without reposting it can still
be susceptible to a wide variety of attacks along the lines of SQL or
special character injection. For example, a site that had an SQL database
set up to record web statistics could be fed a malicious HTTP_REFERER field.
I said 'strictly speaking' above, since although this isn't XSS, it
certainly falls under the same bracket (malicious input and/or lack of input
validation)
Harry
 By Date 
By Thread
Current thread:
- Re: XSS, (continued)
- Re: XSS Matthew Miller (Dec 11)
- Re: XSS Jeff Williams @ Aspect (Dec 11)
- Re: XSS Sverre H. Huseby (Dec 19)
- Re: XSS Ed Tracy @ Aspect Security (Dec 11)
- Re: XSS Matthew Miller (Dec 11)
- Re: XSS HarryM (Dec 15)
Re: XSS zeno (Dec 10)
RE: XSS Ernesto Funes (Dec 10)
Re: XSS zeno (Dec 10)
|
Intro
