[prev in list] [next in list] [prev in thread] [next in thread] 

List:       websecurity
Subject:    RE: [WEB SECURITY] Detecting, Analyzing, and Exploiting Intranet Applications using JavaScript
From:       "Amit Klein (AKsecurity)" <aksecurity () hotpop ! com>
Date:       2006-07-31 21:42:46
Message-ID: 44CEA523.19666.EF88EC () localhost
[Download RAW message or body]

On 31 Jul 2006 at 16:04, Billy Hoffman wrote:

> >>>>
> 2. You mention "Increased Danger from Cross Site Scripting [...] This
> means any XSS vulnerability on any site can be used to attack the end
> user, regardless of the features of the vulnerable site." In my
> understanding, the increased danger comes only from permanent (stored)
> XSS 
> <<<<
> 
> The point I was trying to make was that all XSS is bad. If you have a
> site with an XSS vuln, even if the site is so devoid of features that
> session hijacking or Ajax worming or other common XSS payloads aren't
> really applicable, the XSS vuln can still be used to do Very Bad
> Things(tm) to a user that have nothing to do with how that user
> interacts with your site.
> 

I agree about the part that XSS in general is Very_Bad_Thing. But I think
that you only prove it in your paper for persistent XSS.

-Amit

----------------------------------------------------------------------------
The Web Security Mailing List: 
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]



[prev in list] [next in list] [prev in thread] [next in thread]