RE: [WEB SECURITY] XSS Impact

[Rafal Los <rafal@xxxxxxxxxxxxxxxx>]

--_febdf4eb-c6e9-467c-9a7e-9e61cea5b843_
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable


Pete=2C
  I will simply point you back to my buddy Russ's blog http://holisticinfos=
ec.blogspot.com/2008/08/cross-site-scripting-can-be-used-to.html=2C which i=
s a perfect example.  His blog has more examples as well if you scroll back=
wards.
=20
Cheers



Rafal (Ralph) M. LosSecurity & IT Risk Strategist - Blog:    http://preachs=
ecurity.blogspot.com - LinkedIn: http://www.linkedin.com/in/rmlos



From: petelind@spiresecurity.comTo: websecurity@webappsec.orgDate: Tue=2C 1=
3 Jan 2009 19:31:45 -0500Subject: [WEB SECURITY] XSS Impact



Greetings =96
=20
I am trying to get my arms around the cross-site scripting vulnerability im=
pact and can only come up with it as an enabler of other exploits. Can you =
give me your best (highest impact) examples of what an XSS vuln can do with=
out combining with other exploit techniques?
=20
Thanks=2C
=20
Pete
=20
Pete Lindstrom
Research Director
Spire Security
610-644-9064
blog: http://spiresecurity.typepad.com
=20
=20
_________________________________________________________________
Windows Live=99: Keep your life in sync.=20
http://windowslive.com/howitworks?ocid=3DTXT_TAGLM_WL_t1_allup_howitworks_0=
12009=

--_febdf4eb-c6e9-467c-9a7e-9e61cea5b843_
Content-Type: text/html; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable

<html>
<head>
<style>
.hmmessage P
{
margin:0px=3B
padding:0px
}
body.hmmessage
{
font-size: 10pt=3B
font-family:Verdana
}
</style>
</head>
<body class=3D'hmmessage'>
Pete=2C<BR>
&nbsp=3B I will simply point you back to my buddy Russ's blog <A href=3D"ht=
tp://holisticinfosec.blogspot.com/2008/08/cross-site-scripting-can-be-used-=
to.html">http://holisticinfosec.blogspot.com/2008/08/cross-site-scripting-c=
an-be-used-to.html</A>=2C which is a perfect example.&nbsp=3B His blog has =
more examples as well if you scroll backwards.<BR>
&nbsp=3B<BR>
Cheers<BR><BR><BR>

<HR id=3DEC_EC_EC_[object]>
<BR>
<STRONG><FONT color=3D#000080>Rafal (Ralph) M. Los</FONT></STRONG><BR><FONT=
 color=3D#800000>Security &amp=3B IT Risk Strategist</FONT><BR>&nbsp=3B- <S=
TRONG>Blog</STRONG>:&nbsp=3B&nbsp=3B&nbsp=3B <A href=3D"http://preachsecuri=
ty.blogspot.com/">http://preachsecurity.blogspot.com</A><BR>&nbsp=3B- <STRO=
NG>LinkedIn</STRONG>: <A href=3D"http://www.linkedin.com/in/rmlos";>http://w=
ww.linkedin.com/in/rmlos</A><BR><BR><BR><BR><BR><BR>

<HR id=3DstopSpelling>
<BR>
From: petelind@spiresecurity.com<BR>To: websecurity@webappsec.org<BR>Date: =
Tue=2C 13 Jan 2009 19:31:45 -0500<BR>Subject: [WEB SECURITY] XSS Impact<BR>=
<BR><BR>
<STYLE>
.ExternalClass p.EC_MsoNormal=2C .ExternalClass li.EC_MsoNormal=2C .Externa=
lClass div.EC_MsoNormal
{margin-bottom:.0001pt=3Bfont-size:12.0pt=3Bfont-family:'Times New Roman'=
=3B}
.ExternalClass a:link=2C .ExternalClass span.EC_MsoHyperlink
{color:blue=3Btext-decoration:underline=3B}
.ExternalClass a:visited=2C .ExternalClass span.EC_MsoHyperlinkFollowed
{color:purple=3Btext-decoration:underline=3B}
.ExternalClass span.EC_EmailStyle17
{font-family:Arial=3Bcolor:windowtext=3B}
@page Section1
{size:8.5in 11.0in=3B}
.ExternalClass div.EC_Section1
{page:Section1=3B}
</STYLE>

<DIV class=3DEC_Section1>
<P class=3DEC_MsoNormal><FONT face=3DArial size=3D2><SPAN style=3D"FONT-SIZ=
E: 10pt=3B FONT-FAMILY: Arial">Greetings =96</SPAN></FONT></P>
<P class=3DEC_MsoNormal><FONT face=3DArial size=3D2><SPAN style=3D"FONT-SIZ=
E: 10pt=3B FONT-FAMILY: Arial">&nbsp=3B</SPAN></FONT></P>
<P class=3DEC_MsoNormal><FONT face=3DArial size=3D2><SPAN style=3D"FONT-SIZ=
E: 10pt=3B FONT-FAMILY: Arial">I am trying to get my arms around the cross-=
site scripting vulnerability impact and can only come up with it as an enab=
ler of other exploits. Can you give me your best (highest impact) examples =
of what an XSS vuln can do without combining with other exploit techniques?=
</SPAN></FONT></P>
<P class=3DEC_MsoNormal><FONT face=3DArial size=3D2><SPAN style=3D"FONT-SIZ=
E: 10pt=3B FONT-FAMILY: Arial">&nbsp=3B</SPAN></FONT></P>
<P class=3DEC_MsoNormal><FONT face=3DArial size=3D2><SPAN style=3D"FONT-SIZ=
E: 10pt=3B FONT-FAMILY: Arial">Thanks=2C</SPAN></FONT></P>
<P class=3DEC_MsoNormal><FONT face=3DArial size=3D2><SPAN style=3D"FONT-SIZ=
E: 10pt=3B FONT-FAMILY: Arial">&nbsp=3B</SPAN></FONT></P>
<P class=3DEC_MsoNormal><FONT face=3DArial size=3D2><SPAN style=3D"FONT-SIZ=
E: 10pt=3B FONT-FAMILY: Arial">Pete</SPAN></FONT></P>
<P class=3DEC_MsoNormal><FONT face=3DArial size=3D2><SPAN style=3D"FONT-SIZ=
E: 10pt=3B FONT-FAMILY: Arial">&nbsp=3B</SPAN></FONT></P>
<P class=3DEC_MsoNormal><FONT face=3DArial size=3D2><SPAN style=3D"FONT-SIZ=
E: 10pt=3B FONT-FAMILY: Arial">Pete Lindstrom</SPAN></FONT></P>
<P class=3DEC_MsoNormal><FONT face=3DArial size=3D2><SPAN style=3D"FONT-SIZ=
E: 10pt=3B FONT-FAMILY: Arial">Research Director</SPAN></FONT></P>
<P class=3DEC_MsoNormal><FONT face=3DArial size=3D2><SPAN style=3D"FONT-SIZ=
E: 10pt=3B FONT-FAMILY: Arial">Spire Security</SPAN></FONT></P>
<P class=3DEC_MsoNormal><FONT face=3DArial size=3D2><SPAN style=3D"FONT-SIZ=
E: 10pt=3B FONT-FAMILY: Arial">610-644-9064</SPAN></FONT></P>
<P class=3DEC_MsoNormal><FONT face=3DArial size=3D2><SPAN style=3D"FONT-SIZ=
E: 10pt=3B FONT-FAMILY: Arial">blog: <A>http://spiresecurity.typepad.com</A=
></SPAN></FONT></P>
<P class=3DEC_MsoNormal><FONT face=3D"Times New Roman" size=3D3><SPAN style=
=3D"FONT-SIZE: 12pt">&nbsp=3B</SPAN></FONT></P>
<P class=3DEC_MsoNormal><FONT face=3D"Times New Roman" size=3D3><SPAN style=
=3D"FONT-SIZE: 12pt">&nbsp=3B</SPAN></FONT></P></DIV><br /><hr />Windows Li=
ve=99: Keep your life in sync.  <a href=3D'http://windowslive.com/howitwork=
s?ocid=3DTXT_TAGLM_WL_t1_allup_howitworks_012009' target=3D'_new'>See how i=
t works.</a></body>
</html>=

--_febdf4eb-c6e9-467c-9a7e-9e61cea5b843_--