WebApp Sec mailing list archives
Re: XSS
From: "HarryM" <harrym () the-group org>
Date: Mon, 16 Dec 2002 06:23:45 -0000
In order for a site to be susceptible to XSS attacks, the site needs to accept user input and repost that user input. This would allow for the two ingredients of XSS: 1. Receiving malicious code from an attacker. 2. Delivering that malicious code to a valid user. Accordingly, the answer is NO. Your site should be safe from XSS
I haven't been following this thread, so apologies if someone has already covered this. Although that's true, strictly speaking, don't let it lull you into a false sense of security - A site that takes input without reposting it can still be susceptible to a wide variety of attacks along the lines of SQL or special character injection. For example, a site that had an SQL database set up to record web statistics could be fed a malicious HTTP_REFERER field. I said 'strictly speaking' above, since although this isn't XSS, it certainly falls under the same bracket (malicious input and/or lack of input validation) Harry