Vulnerability Development mailing list archives
RE: CSS, CSS & let me give you some more CSS
From: "Joe Harrison" <list-general () ntlworld com>
Date: Thu, 31 Jan 2002 20:09:48 -0000
I can't help feel the importance of these cross-site-scripting attacks is over-emphasised. 1. You can grab a session cookie which can give you a hijacked login. Obviously not good but also not that easy to implement as it needs quite precise timing. Also the rightful session owner (even if unsophisticated user) is immediately going to notice something funny is happening when his or her genuine session blows away. 2. Gives increased scope to effect script attacks against known holes, by-passing "security zone" protections in IE. Hmm well OK, there may be a few people who fit into profile of "savvy enough to manage sites and zones, but who don't install MS browser patches." Is there anything else, I don't think so. I'm not saying the problem doesn't exist and can't be exploited, only that maybe it doesn't rate so much heat and light compared to many more obvious risks.
Current thread:
- CSS, CSS & let me give you some more CSS - phinegeek - (Jan 29)
- Re: CSS, CSS & let me give you some more CSS tmorgan-security (Jan 29)
- Re: CSS, CSS & let me give you some more CSS tmorgan-security (Jan 29)
- <Possible follow-ups>
- Re: CSS, CSS & let me give you some more CSS - phinegeek - (Jan 29)
- Re: CSS, CSS & let me give you some more CSS Frog Frog (Jan 29)
- Re: CSS, CSS & let me give you some more CSS M. Burnett (Jan 31)
- RE: CSS, CSS & let me give you some more CSS Joe Harrison (Jan 31)
- Re: CSS, CSS & let me give you some more CSS Sverre H. Huseby (Jan 31)
- Re: CSS, CSS & let me give you some more CSS M. Burnett (Jan 31)
- Re: CSS, CSS & let me give you some more CSS tmorgan-security (Jan 29)
- Re: CSS, CSS & let me give you some more CSS Slow2Show (Jan 29)
- Re: CSS, CSS & let me give you some more CSS SiLenCe (Jan 29)