[WEB SECURITY] XSS Impact

Eric Rachner eric at rachner.us
Tue Jan 13 20:42:55 EST 2009


Of course, the typo "siphed" was meant to be "siphoned"

And the MySpace worm represents a great example of #3 and #4 used in
combination.

On Tue, Jan 13, 2009 at 5:22 PM, Eric Rachner <eric at rachner.us> wrote:

> Hi Pete,
>
> XSS, generically speaking, enables an attacker to view or modify any
> content that passes between the browser and the vulnerable site.
>
> Therefore,
>
> 1. Any data input by the user can be siphed off by the attacker.  When the
> data is the user's account credentials, I'd call that severe.  Same goes for
> credit card numbers and the like.
>
> 2. Any data displayed by the site can be siphoned off by the attacker.
> Again, think financial account info, along with health info, etc.
>
> 3. The attacker can supply input on the user's behalf.  Impact depends on
> the application.
>
> 4. The attacker can cause the site to display bogus information.  If the
> site is highly trusted by the user, or by the enterprise desktop security
> configuration of the user's machine, this trust can be exploited directly by
> the attacker's malicious script.
>
> - Eric
>
>
> On Tue, Jan 13, 2009 at 4:31 PM, Pete Lindstrom <
> petelind at spiresecurity.com> wrote:
>
>>  Greetings –
>>
>>
>>
>> I am trying to get my arms around the cross-site scripting vulnerability
>> impact and can only come up with it as an enabler of other exploits. Can you
>> give me your best (highest impact) examples of what an XSS vuln can do
>> without combining with other exploit techniques?
>>
>>
>>
>> Thanks,
>>
>>
>>
>> Pete
>>
>>
>>
>> Pete Lindstrom
>>
>> Research Director
>>
>> Spire Security
>>
>> 610-644-9064
>>
>> blog: http://spiresecurity.typepad.com
>>
>>
>>
>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20090113/edbcd8f1/attachment.html>


More information about the websecurity mailing list