If you were really trying to exploit a XSS issue, you wouldn't make a pop-up box... people just use that to test for it. You would do something like silently sent an HTTP request containing the cookie value to another site, so that the person (or program) at the other end would be able to hijack the session. Kevin Spett SPI Dynamics, Inc. http://www.spidynamics.com/ ----- Original Message ----- From: "Matt Andreko" <mandrekoat_private> To: "'Bill Pennington'" <billpat_private>; <pen-testat_private> Sent: Tuesday, August 06, 2002 5:56 PM Subject: RE: Cross Site Scripting Vulnerabilities - XSS > I am kinda new to XSS, but am intrigued by how it works. I have found > sometimes you can get javascript messages to pop up and such, but if > it's not being stored in a database, what good is it? > > Take for example Iwillusa.com (a motherboard maker's website). They > have a product page that I saw had some html in the URL: > http://www.iwillusa.com/products/spec.asp?ModelName=DVD266>u</i>-RN&Su > pportID= > I edited it and it became: > http://www.iwillusa.com/products/spec.asp?ModelName=DVD266u-RN