Full Disclosure mailing list archives
Re: Search Engine XSS
From: Sam Baskinger <sam () reefedge com>
Date: Wed, 23 Jul 2003 15:05:54 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Not speaking to these specific vulnerabilities, XSS attacks in general, let you masquerade info as being legitimate data from the server. For example, you can present the user with an error page which LOOKS like a login page with the method in the HTML form being to a malicious data collector. One of the original example of XSS was one user gave a link on his webpage which to a link under the domain nytimes.com which which clicked presented the user with a bogus story. The content was that of the exploiter's choosing but it was delivered by the nytimes domain. Thus, the exploit moves across web sites. So, the impact varries a great deal depending on context and the waryness of the users. If the web browser tells you that the page returns code is HTML 403, don't go typing your password into any forms presented on that page. :-) Hope this is helpful. Sam On Wednesday 23 July 2003 14:02, Shanphen Dawa wrote:
Yes but what affect does this have on the server? How does it comprimise security? Can you use this to DoS the server? Can you use this to gain access to areas on the server otherwise not available? On Wed, 23 Jul 2003 02:18:05 -0700 "morning_wood" <se_cur_ity () hotmail com> wrote:since were on the subject now... ill clear up my backlog...
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQE/HtySuabcSIn58XwRAtjsAJ40Za3RgcojJRyy2dsRfHBn67eQcgCgv16A OA+YEV+7S1+3tF5AXSmqGb4= =z4dQ -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Search Engine XSS morning_wood (Jul 23)
- Re: Search Engine XSS Liu Die Yu (Jul 23)
- Re: Search Engine XSS Shanphen Dawa (Jul 23)
- Re: Search Engine XSS northern snowfall (Jul 23)
- Re: Search Engine XSS morning_wood (Jul 23)
- Re: Search Engine XSS Shanphen Dawa (Jul 23)
- Re: Search Engine XSS Bill Pennington (Jul 23)
- Re: Search Engine XSS Sam Baskinger (Jul 23)
- Re: Search Engine XSS Sam Baskinger (Jul 23)
- <Possible follow-ups>
- Re: Search Engine XSS bobby manly (Jul 23)