"Richard M. Smith" <rmsat_private> asked: >Do you know of any cases of cross-site scripting being used in the >real world? I have observed unsuccessful cross-site scripting attacks on custom programs of a particular web server, but they are rarely performed. >I looked around last fall some and couldn't find any examples being >reported. I remember, though many enterprises are quite hush-hush about the details of security incidents. Maybe CERT/CC has incident data that it could summarize? >XSS errors are real easy to make, so it is not surprising they are the >2nd most frequently reported vulnerability. Agreed. Unlike bugs like buffer overflows, format strings, SQL injection, and directory traversal, nearly every single input is suspect, resulting in more attack vectors. Think of how many inputs are echoed back to a web page, for example, versus how many inputs are used to construct filenames, or format log messages. Also, "XSS cleansing" can be difficult if certain inputs need to be fairly free-form. XSS issues can be easy to find, which is probably also a factor, though it also demonstrates the lack of adequate testing on the part of the developer. - Steve _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
This archive was generated by hypermail 2b30 : Thu Jan 23 2003 - 17:08:42 PST