[WEB SECURITY] XSS Impact

Steve Pinkham steve.pinkham at gmail.com
Wed Jan 14 10:47:36 EST 2009


Pete Lindstrom wrote:
> Greetings –
> 
>  
> 
> I am trying to get my arms around the cross-site scripting vulnerability 
> impact and can only come up with it as an enabler of other exploits. Can 
> you give me your best (highest impact) examples of what an XSS vuln can 
> do without combining with other exploit techniques?
> 
I'm not sure there is a "best" vulnerability, but the two demos that 
seem to resonate most with our customers are:

1) Creating a phishing site which still shows the customer's domain name 
and SSL certificate in the browser by replacing the page content in the 
DOM with a full size iframe from our servers
2) stealing cookies

Steve
>  
> 
> Thanks,
> 
>  
> 
> Pete
> 
>  
> 
> Pete Lindstrom
> 
> Research Director
> 
> Spire Security
> 
> 610-644-9064
> 
> blog: http://spiresecurity.typepad.com
> 
>  
> 
>  
> 


-- 
  | Steven E. Pinkham                      |
  | GPG public key ID CD31CAFB             |

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA



More information about the websecurity mailing list