Vulnerability Development mailing list archives
Re: Sourceforge.net XSS
From: v9 <v9 () fakehalo us>
Date: Mon, 17 Apr 2006 11:31:51 -0400 (EDT)
alright. folks, enough with the unrelated XSS stories, for the last time, i'm simply saying not all XSS are the same...i am talking about XSS that doesn't get saved on the server and has to be included in the url... i don't know how much more clear to make this. "http://something.com/...?[XSS HERE]" style. i'm quite aware of samy's myspace worm, good idea, however that is completely different from what i am and have been talking about. samy's worm was stored on the server and shown to all who viewed his myspace page. these kind of XSS are in a url you'd have to create yourself, you wouldn't ever stroll across this, as you have to make it in the url to work. so as i said before, encoded/phishing (emails) is about the only possible use for these that i can see, and not even to a good extent(easier to just use the usual <A HREF> style misdirection, and has more options). if someone can tell me otherwise, post a RELATED reply. (ie. in-url XSS) On Mon, 17 Apr 2006, Juan C Calderon wrote:
Hello, I want to share with you this information I got from this same list back in April 5th, It is about a virus created with an XSS at a myspace website (check the list archives). Myspace.com - Intricate Script Injection Vulnerability advisory http://www.silent-products.com/advisory4.5.06.txt The myspace hack story http://fast.info/myspace/ There are very interesting links at the end of this paper relating to XSS viruses and their differences with traditional viruses. http://www.bindshell.net/papers/xssv.html hope it is interesting to you, this is just a little example of what a XSS can do, Cheers, JC __________________________________________________ Correo Yahoo! Espacio para todos tus mensajes, antivirus y antispam ¡gratis! Regístrate ya - http://correo.espanol.yahoo.com/
Current thread:
- Sourceforge.net XSS the . spikey (Apr 09)
- <Possible follow-ups>
- Re: Sourceforge.net XSS v9 (Apr 12)
- Re: Sourceforge.net XSS Daniel (Apr 12)
- Re: Re: Sourceforge.net XSS v9 (Apr 13)
- Re: Sourceforge.net XSS ascii (Apr 13)
- Re: Sourceforge.net XSS Juan C Calderon (Apr 17)
- Re: Sourceforge.net XSS v9 (Apr 17)
- Re: Sourceforge.net XSS morgan allen (Apr 18)
- Re: Sourceforge.net XSS Valdis . Kletnieks (Apr 18)
- Re: Sourceforge.net XSS Juan C Calderon (Apr 18)
- Re: Sourceforge.net XSS v9 (Apr 17)