Vulnerability Development mailing list archives
RE: CSS, CSS & let me give you some more CSS
From: Marc Slemko <marcs () znep com>
Date: Fri, 1 Feb 2002 19:00:17 -0800 (PST)
On Fri, 1 Feb 2002, Brian McWilliams wrote:
At 03:09 PM 1/31/2002, Joe Harrison wrote:I can't help feel the importance of these cross-site-scripting attacks is over-emphasised.As others have pointed out, CSS bugs can be used to do some pretty interesting things. FYI, the source De Vitry injected into the news site pages is here: http://devitry.com/mon
More interesting are cases where you can actually inject it into a cookie that the site uses to make it persist. Rare perhaps, but it has a good history because Microsoft themself created a good demo of this exact technique a couple of years back when they first brought forward the "new age" of CSS (which resulted in the CERT advisory)... was an exploit that set a msnbc.com cookie that made the news story on the msnbc.com home page (either that or some other msn news site, would have to check my notes) be a bogus attacker-specified story, even if you went back there by entering "http://www.msnbc.com/" directly or closed and restarted your browser before returning. There are a lot of issues. Many of them are fairly low risk. But it is important that people don't get tricked into thinking they are all low risk, since this is a massive issue. IMHO, one of the biggest ongoing issues with the deployment of web based applications.
Current thread:
- Re: CSS, CSS & let me give you some more CSS, (continued)
- Re: CSS, CSS & let me give you some more CSS Sverre H. Huseby (Feb 01)
- New thoughts on CSS Brett Moore (Feb 01)
- RE: New thoughts on CSS Matt Dickinson (Feb 01)
- RE: New thoughts on CSS jon schatz (Feb 01)
- Re: New thoughts on CSS Blue Boar (Feb 01)
- Re: New thoughts on CSS Jonas M Luster (Feb 03)
- RE: New thoughts on CSS other (Feb 02)
- Re: CSS, CSS & let me give you some more CSS Blake Frantz (Feb 01)
- Re: CSS, CSS & let me give you some more CSS Andre Mariƫn (Feb 04)
- RE: CSS, CSS & let me give you some more CSS Brian McWilliams (Feb 01)
- RE: CSS, CSS & let me give you some more CSS Marc Slemko (Feb 01)
- RE: CSS, CSS & let me give you some more CSS - phinegeek - (Feb 02)