WebApp Sec mailing list archives

Re: XSS

From: "HarryM" <harrym () the-group org>
Date: Mon, 16 Dec 2002 06:23:45 -0000

  In order for a site to be susceptible to XSS attacks, the site needs to
accept user input and repost that user input.  This would allow for the
two ingredients of XSS: 1. Receiving malicious code from an attacker. 2.
Delivering that malicious code to a valid user.  Accordingly, the answer
is NO.  Your site should be safe from XSS


I haven't been following this thread, so apologies if someone has already
covered this.

Although that's true, strictly speaking, don't let it lull you into a false
sense of security - A site that takes input without reposting it can still
be susceptible to a wide variety of attacks along the lines of SQL or
special character injection. For example, a site that had an SQL database
set up to record web statistics could be fed a malicious HTTP_REFERER field.

I said 'strictly speaking' above, since although this isn't XSS, it
certainly falls under the same bracket (malicious input and/or lack of input
validation)

Harry

Current thread:

RE: XSS, (continued)
- RE: XSS Eyal Udassin (Dec 10)
- Re: XSS Kevin Spett (Dec 10)
  - Re: XSS John Madden (Dec 10)
    - Re: XSS Kevin Spett (Dec 10)
    - Re: XSS Stephen de Vries (Dec 11)
    - Re: XSS Matthew Miller (Dec 11)
    - Re: XSS Jeff Williams @ Aspect (Dec 11)
    - Re: XSS Sverre H. Huseby (Dec 19)
    - Re: XSS Ed Tracy @ Aspect Security (Dec 11)
    - Re: XSS Matthew Miller (Dec 11)
    - Re: XSS HarryM (Dec 15)
- Re: XSS zeno (Dec 10)
- RE: XSS Ernesto Funes (Dec 10)
- Re: XSS zeno (Dec 10)
  - RE: XSS Brett Moore (Dec 10)
    - Re: XSS zeno (Dec 10)
- RE: XSS David Endler (Dec 10)
- Re: XSS appsec (Dec 15)