[WEB SECURITY] XSS Impact

Eric Rachner eric at rachner.us
Tue Jan 13 20:22:42 EST 2009


Hi Pete,

XSS, generically speaking, enables an attacker to view or modify any content
that passes between the browser and the vulnerable site.

Therefore,

1. Any data input by the user can be siphed off by the attacker.  When the
data is the user's account credentials, I'd call that severe.  Same goes for
credit card numbers and the like.

2. Any data displayed by the site can be siphoned off by the attacker.
Again, think financial account info, along with health info, etc.

3. The attacker can supply input on the user's behalf.  Impact depends on
the application.

4. The attacker can cause the site to display bogus information.  If the
site is highly trusted by the user, or by the enterprise desktop security
configuration of the user's machine, this trust can be exploited directly by
the attacker's malicious script.

- Eric

On Tue, Jan 13, 2009 at 4:31 PM, Pete Lindstrom
<petelind at spiresecurity.com>wrote:

>  Greetings –
>
>
>
> I am trying to get my arms around the cross-site scripting vulnerability
> impact and can only come up with it as an enabler of other exploits. Can you
> give me your best (highest impact) examples of what an XSS vuln can do
> without combining with other exploit techniques?
>
>
>
> Thanks,
>
>
>
> Pete
>
>
>
> Pete Lindstrom
>
> Research Director
>
> Spire Security
>
> 610-644-9064
>
> blog: http://spiresecurity.typepad.com
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20090113/276521a8/attachment.html>


More information about the websecurity mailing list