Re: cross site scripting ?

[Slow2Show <sl2sho () yahoo com>]

In-Reply-To: <20020429183257.8001.qmail () mail securityfocus com>

<quote src=http://httpd.apache.org/info/css-security>
Q: Why the name "Cross Site Scripting"?
A: This issue isn't just about scripting, and there isn't 
necessarily anything cross site about it. So why the name? 
It was coined earlier on when the problem was less 
understood, and it stuck. Believe me, we have had more 
important things to do than think of a better name.
</quote>

IMHO the "cross site" nature of XSS comes from the fact 
that you are forwarding the trust level of one site to 
another (from vuln site to attacker’s site). This is the 
case in well known and common "transient XSS". The case you 
discuss..."When one puts a javascript in a message"...or 
injecting any attacker defined content in general, is 
a "permanent XSS". All XSS attacks are derived from these 
two basic types. As marc from apache.org points out, the 
term isn’t well named…for a various number of reasons, but 
it just stuck.

So basicly don’t worry about the messed up 
nomenclature....just keep putting out good Advisories frog 
frog!!

Lata,

-Slow2Show-
University of Florida