Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: cross site scripting ?

From: "Sverre H. Huseby" <shh () thathost com>
Date: Tue, 30 Apr 2002 12:55:04 +0200
[Slow2Show]

|   Q: Why the name "Cross Site Scripting"?
|   A: This issue isn't just about scripting, and there isn't 
|   necessarily anything cross site about it. So why the name? 
|   It was coined earlier on when the problem was less 
|   understood, and it stuck.

I think the misuse of the term relates to the CERT advisory
CA-2002-02, "Malicious HTML Tags Embedded in Client Web Requests" at
http://www.cert.org/advisories/CA-2000-02.html

The advisory talks about several ways to include script code in web
pages.  One way exploits browser vulnerabilities, in which browsers
fail to make sure documents of different origins are not allowed to
interfer with one another.  The CERT advisory calls this particular
problem "Cross-site Scripting".  For some reason, the term is now used
for every problem outlined by the CERT advisory (and then some).

I may, of course, be totally wrong. :)


Sverre.

-- 
shh () thathost com                     Computer Geek?  Try my Nerd Quiz
http://shh.thathost.com/                http://nerdquiz.thathost.com/
Previous By Date Next
Previous By Thread Next

Current thread: