From: Matt Andreko (mandreko@ori.net)
Date: Fri Aug 09 2002 - 17:10:43 EDT
I'm sorry I didn't explain my point as well as I'd hoped. If the site
doesn't have a storage, or doesn't need to worry about cookies (no
store), what is the point in being able to inject things? Sure, if you
send an email with a link in it, they'll get taken to another site, but
my understanding was it was as if information was stored in a database
so that an unknowing user could fall into it.
Do I have the wrong idea of XSS in my head, or does it cover both
situations?
-----Original Message-----
From: Kevin Spett [mailto:kspett@spidynamics.com]
Sent: Wednesday, August 07, 2002 2:38 PM
To: Matt Andreko; pen-test@securityfocus.com
Subject: Re: Cross Site Scripting Vulnerabilities - XSS
If you were really trying to exploit a XSS issue, you wouldn't make a
pop-up
box... people just use that to test for it. You would do something like
silently sent an HTTP request containing the cookie value to another
site,
so that the person (or program) at the other end would be able to hijack
the
session.
Kevin Spett
SPI Dynamics, Inc.
http://www.spidynamics.com/
----- Original Message -----
From: "Matt Andreko" <mandreko@ori.net>
To: "'Bill Pennington'" <billp@boarder.org>;
<pen-test@securityfocus.com>
Sent: Tuesday, August 06, 2002 5:56 PM
Subject: RE: Cross Site Scripting Vulnerabilities - XSS
> I am kinda new to XSS, but am intrigued by how it works. I have found
> sometimes you can get javascript messages to pop up and such, but if
> it's not being stored in a database, what good is it?
>
> Take for example Iwillusa.com (a motherboard maker's website). They
> have a product page that I saw had some html in the URL:
>
http://www.iwillusa.com/products/spec.asp?ModelName=DVD266>u</i>-RN&Su
> pportID=
> I edited it and it became:
>
http://www.iwillusa.com/products/spec.asp?ModelName=DVD266u-RN