Vulnerability Development mailing list archives
Re: CSS implication
From: "Sverre H. Huseby" <shh () thathost com>
Date: Thu, 21 Mar 2002 15:19:26 +0100
[b0iler] | you can change the html of a page. dangerous for example if the | user is supposed to input their username and password, you can | change where the form is sent, making it instead a logging script | set up on your server. Imagine an application in which customers would register a request to transfer money from one place to another. The transfer request was stored in a database. Before the transaction took place, it would be confirmed by a trusted employee using a web interface to the database. The employee would eg. check that the source account was in fact owned by the person doing the request. The problem was that it was possible to insert scripts in descriptive fields. One could thus register the request with an invalid (someone else's) account, and include a script that would modify the web page to display a valid account. The trusted employee would read the account number given by the script, while the database still contained the forged account. 1-0 to the bad guy. Sverre. -- shh () thathost com Computer Geek? Try my Nerd Quiz http://shh.thathost.com/ http://nerdquiz.thathost.com/
Current thread:
- Re: CSS implication, (continued)
- Re: CSS implication Bill Weiss (Mar 17)
- Re: CSS implication zero (Mar 17)
- Re: CSS implication Jeremiah Grossman (Mar 18)
- Re: CSS implication zero (Mar 18)
- Re: CSS implication Jeremiah Grossman (Mar 19)
- Re: CSS implication Sverre H. Huseby (Mar 23)
- Re: CSS implication Jeremiah Grossman (Mar 18)
- Re: CSS implication Arta (Mar 18)
- Re: CSS implication HarryM (Mar 21)
- Re: CSS implication Sverre H. Huseby (Mar 21)