[WEB SECURITY] Detecting, Analyzing, and Exploiting Intranet Applications using JavaScript

Amit Klein (AKsecurity) aksecurity at hotpop.com
Mon Jul 31 18:49:39 EDT 2006


On 31 Jul 2006 at 16:04, Billy Hoffman wrote:

> >>>>
> 2. You mention "Increased Danger from Cross Site Scripting [...] This
> means any XSS vulnerability on any site can be used to attack the end
> user, regardless of the features of the vulnerable site." In my
> understanding, the increased danger comes only from permanent (stored)
> XSS 
> <<<<
> 
> The point I was trying to make was that all XSS is bad. If you have a
> site with an XSS vuln, even if the site is so devoid of features that
> session hijacking or Ajax worming or other common XSS payloads aren't
> really applicable, the XSS vuln can still be used to do Very Bad
> Things(tm) to a user that have nothing to do with how that user
> interacts with your site.
> 

I agree about the part that XSS in general is Very_Bad_Thing. But I think
that you only prove it in your paper for persistent XSS.

-Amit

----------------------------------------------------------------------------
The Web Security Mailing List: 
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]



More information about the websecurity mailing list