[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [WEB SECURITY] Detecting, Analyzing, and Exploiting Intranet Applications using JavaScript
- From: "Amit Klein (AKsecurity)" <aksecurity@xxxxxxxxxx>
- Subject: RE: [WEB SECURITY] Detecting, Analyzing, and Exploiting Intranet Applications using JavaScript
- Date: Tue, 01 Aug 2006 00:49:39 +0200
On 31 Jul 2006 at 16:04, Billy Hoffman wrote:
> >>>>
> 2. You mention "Increased Danger from Cross Site Scripting [...] This
> means any XSS vulnerability on any site can be used to attack the end
> user, regardless of the features of the vulnerable site." In my
> understanding, the increased danger comes only from permanent (stored)
> XSS
> <<<<
>
> The point I was trying to make was that all XSS is bad. If you have a
> site with an XSS vuln, even if the site is so devoid of features that
> session hijacking or Ajax worming or other common XSS payloads aren't
> really applicable, the XSS vuln can still be used to do Very Bad
> Things(tm) to a user that have nothing to do with how that user
> interacts with your site.
>
I agree about the part that XSS in general is Very_Bad_Thing. But I think
that you only prove it in your paper for persistent XSS.
-Amit
----------------------------------------------------------------------------
The Web Security Mailing List:
http://www.webappsec.org/lists/websecurity/
The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
Brought to you by http://www.webappsec.org
Search this site
|