From: Kevin Spett (kspett@spidynamics.com)
Date: Fri Aug 09 2002 - 17:30:43 EDT
You're still open to abuse. You could force people's browser to attack or
DDoS another site, or use IE exploits (see www.guninski.com) to send
sensitive information off of client's drives to another site. There are
many ways to be evil with XSS, session hijacking is only one of them.
Kevin Spett
SPI Labs
http://www.spidynamics.com/
----- Original Message -----
From: "Matt Andreko" <mandreko@ori.net>
To: "'Kevin Spett'" <kspett@spidynamics.com>; <pen-test@securityfocus.com>
Sent: Friday, August 09, 2002 5:10 PM
Subject: RE: Cross Site Scripting Vulnerabilities - XSS
> I'm sorry I didn't explain my point as well as I'd hoped. If the site
> doesn't have a storage, or doesn't need to worry about cookies (no
> store), what is the point in being able to inject things? Sure, if you
> send an email with a link in it, they'll get taken to another site, but
> my understanding was it was as if information was stored in a database
> so that an unknowing user could fall into it.
> Do I have the wrong idea of XSS in my head, or does it cover both
> situations?
>
>
>
> -----Original Message-----
> From: Kevin Spett [mailto:kspett@spidynamics.com]
> Sent: Wednesday, August 07, 2002 2:38 PM
> To: Matt Andreko; pen-test@securityfocus.com
> Subject: Re: Cross Site Scripting Vulnerabilities - XSS
>
> If you were really trying to exploit a XSS issue, you wouldn't make a
> pop-up
> box... people just use that to test for it. You would do something like
> silently sent an HTTP request containing the cookie value to another
> site,
> so that the person (or program) at the other end would be able to hijack
> the
> session.
>
>
>
> Kevin Spett
> SPI Dynamics, Inc.
> http://www.spidynamics.com/
>
> ----- Original Message -----
> From: "Matt Andreko" <mandreko@ori.net>
> To: "'Bill Pennington'" <billp@boarder.org>;
> <pen-test@securityfocus.com>
> Sent: Tuesday, August 06, 2002 5:56 PM
> Subject: RE: Cross Site Scripting Vulnerabilities - XSS
>
>
> > I am kinda new to XSS, but am intrigued by how it works. I have found
> > sometimes you can get javascript messages to pop up and such, but if
> > it's not being stored in a database, what good is it?
> >
> > Take for example Iwillusa.com (a motherboard maker's website). They
> > have a product page that I saw had some html in the URL:
> >
> http://www.iwillusa.com/products/spec.asp?ModelName=DVD266>u</i>-RN&Su
> > pportID=
> > I edited it and it became:
> >
> http://www.iwillusa.com/products/spec.asp?ModelName=DVD266u-RN