Vulnerability Development mailing list archives
Re: cross site scripting ?
From: Slow2Show <sl2sho () yahoo com>
Date: 29 Apr 2002 23:56:21 -0000
In-Reply-To: <20020429183257.8001.qmail () mail securityfocus com> <quote src=http://httpd.apache.org/info/css-security> Q: Why the name "Cross Site Scripting"? A: This issue isn't just about scripting, and there isn't necessarily anything cross site about it. So why the name? It was coined earlier on when the problem was less understood, and it stuck. Believe me, we have had more important things to do than think of a better name. </quote> IMHO the "cross site" nature of XSS comes from the fact that you are forwarding the trust level of one site to another (from vuln site to attackers site). This is the case in well known and common "transient XSS". The case you discuss..."When one puts a javascript in a message"...or injecting any attacker defined content in general, is a "permanent XSS". All XSS attacks are derived from these two basic types. As marc from apache.org points out, the term isnt well named for a various number of reasons, but it just stuck. So basicly dont worry about the messed up nomenclature....just keep putting out good Advisories frog frog!! Lata, -Slow2Show- University of Florida
Current thread:
- Re: cross site scripting ? Slow2Show (Apr 29)
- Re: cross site scripting ? Sverre H. Huseby (Apr 30)
- <Possible follow-ups>
- cross site scripting ? frog frog (Apr 29)
- Re: cross site scripting ? HarryM (Apr 29)