Vulnerability Development mailing list archives
RE: CSS implication
From: "Matt Priestley" <mpriest () microsoft com>
Date: Sat, 16 Mar 2002 13:47:59 -0800
Here are some of the things my security team has observed with relation to cross-site scripting: * as you said, persistent cookie theft * "session theft" where you act in the context of a privileged user * as you said, running script or objects * SQL injection attacking the back end logic * likewise, XML injection * changing page banners or other decorations in deceptive ways * DoS attacks on the underlying system error logs * causing a trusted page to display a link to an untrusted page -----Original Message----- From: zero [mailto:zeroboy () arrakis es] Sent: Saturday, March 16, 2002 5:39 AM To: vuln-dev () securityfocus com Subject: CSS implication Hi all, I'm working on a CSS paper, and I was wondering, what are the real implications of a CSS attack. When some site is vuln to a CSS problem, you're able to execute code on the web. I've thought about the implications of this. First of all: - You can steal cookies from users - You can send bogus links faking the original site: i.e http://site/vuln.php?query=<script>...(faking vuln.php)...</script> - You can download & launch activeX (possible to download and execute trojans?) Any more dangerous implications? mailto:zeroboy () arrakis es http://www.podergeek.com http://www.citfi.org ************************************************** "The further backward you look, the further forward you can see" Winston Churchill "Para ganar, hay gente que debe perder"
Current thread:
- CSS implication zero (Mar 16)
- Re: CSS implication Jeremiah Grossman (Mar 16)
- <Possible follow-ups>
- Re: CSS implication Frog Man (Mar 17)
- Re: CSS implication Bill Weiss (Mar 17)
- Re: CSS implication zero (Mar 17)
- Re: CSS implication Jeremiah Grossman (Mar 18)
- Re: CSS implication zero (Mar 18)
- Re: CSS implication Jeremiah Grossman (Mar 19)
- Re: CSS implication Sverre H. Huseby (Mar 23)
- Re: CSS implication Jeremiah Grossman (Mar 18)
- Re: CSS implication Arta (Mar 18)
- Re: CSS implication HarryM (Mar 21)
- Re: CSS implication Sverre H. Huseby (Mar 21)