Full Disclosure mailing list archives
Re: Search Engine XSS
From: Sam Baskinger <sam () reefedge com>
Date: Wed, 23 Jul 2003 16:32:13 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Some quick corrections: - ---- this paragraph is now readable---- One of the original example of XSS was where an exploiter gave a link on his webpage to a location under the nytime domain, which, when clicked presented the user with a bogus story. The content was that of the exploiter's choosing but it was delivered by the nytimes domain. - ---- this is readable and the URL results in an HTTP error (not html) ---- - ---- SORRY about that!!! ---- So, the impact varries a great deal depending on context and the waryness of the users. If the web browser tells you that the URL results in the HTTP code 403, don't go typing your password into any forms presented on that page. :-) Sam - -- original email -- Not speaking to these specific vulnerabilities, XSS attacks in general, let you masquerade info as being legitimate data from the server. For example, you can present the user with an error page which LOOKS like a login page with the method in the HTML form being to a malicious data collector. One of the original example of XSS was one user gave a link on his webpage which to a link under the domain nytimes.com which which clicked presented the user with a bogus story. The content was that of the exploiter's choosing but it was delivered by the nytimes domain. Thus, the exploit moves across web sites. So, the impact varries a great deal depending on context and the waryness of the users. If the web browser tells you that the page returns code is HTML 403, don't go typing your password into any forms presented on that page. :-) Hope this is helpful. Sam -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQE/HvDNuabcSIn58XwRApubAJ4iiZRNktaSbo1m6x6fyo2rJ/F6PwCfZP8h XpJmpHu5s9YN0T52dusVaNE= =v7wx -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Search Engine XSS morning_wood (Jul 23)
- Re: Search Engine XSS Liu Die Yu (Jul 23)
- Re: Search Engine XSS Shanphen Dawa (Jul 23)
- Re: Search Engine XSS northern snowfall (Jul 23)
- Re: Search Engine XSS morning_wood (Jul 23)
- Re: Search Engine XSS Shanphen Dawa (Jul 23)
- Re: Search Engine XSS Bill Pennington (Jul 23)
- Re: Search Engine XSS Sam Baskinger (Jul 23)
- Re: Search Engine XSS Sam Baskinger (Jul 23)
- <Possible follow-ups>
- Re: Search Engine XSS bobby manly (Jul 23)