RE: Re: New Web Vulnerability - Cross-Site Tracing

["Steven M. Christey" <coley () linus mitre org>]

"Richard M. Smith" <rms () computerbytesman com> asked:

> Do you know of any cases of cross-site scripting being used in the
> real world?

I have observed unsuccessful cross-site scripting attacks on custom
programs of a particular web server, but they are rarely performed.

> I looked around last fall some and couldn't find any examples being
> reported.

I remember, though many enterprises are quite hush-hush about the
details of security incidents.  Maybe CERT/CC has incident data that
it could summarize?

> XSS errors are real easy to make, so it is not surprising they are the
> 2nd most frequently reported vulnerability.

Agreed.  Unlike bugs like buffer overflows, format strings, SQL
injection, and directory traversal, nearly every single input is
suspect, resulting in more attack vectors.  Think of how many inputs
are echoed back to a web page, for example, versus how many inputs are
used to construct filenames, or format log messages.  Also, "XSS
cleansing" can be difficult if certain inputs need to be fairly
free-form.  XSS issues can be easy to find, which is probably also a
factor, though it also demonstrates the lack of adequate testing on
the part of the developer.

- Steve
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html