[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [WEB SECURITY] XSS Impact

From: Steve Pinkham <steve.pinkham@xxxxxxxxx>
Subject: Re: [WEB SECURITY] XSS Impact
Date: Wed, 14 Jan 2009 10:47:36 -0500

Pete Lindstrom wrote:

Greetings â
I am trying to get my arms around the cross-site scripting vulnerability impact and can only come up with it as an enabler of other exploits. Can you give me your best (highest impact) examples of what an XSS vuln can do without combining with other exploit techniques?

I'm not sure there is a "best" vulnerability, but the two demos that seem to resonate most with our customers are:

1) Creating a phishing site which still shows the customer's domain name and SSL certificate in the browser by replacing the page content in the DOM with a full size iframe from our servers 2) stealing cookies

Steve

Thanks,

Pete

Pete Lindstrom

Research Director

Spire Security

610-644-9064

blog: http://spiresecurity.typepad.com

--
 | Steven E. Pinkham                      |
 | GPG public key ID CD31CAFB             |

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA

References:
- [WEB SECURITY] XSS Impact
  - From: Pete Lindstrom

Prev by Date: RE: [WEB SECURITY] XSS Impact
Next by Date: Re: [WEB SECURITY] 2009 Top 25 Programming Errors
Previous by thread: RE: [WEB SECURITY] XSS Impact
Next by thread: RE: [WEB SECURITY] XSS Impact
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site