>corresponding real query string. wouldn't i need to connect to the server >with a cookie: ASPSESSIONIDxxx=xxxxxxx to webpath/script.asp?xxxxx and >know that id after the question mark, this wouldn't be possible just >having the cookie I don't think. if you can grab the cookie by inserting script into the page then you can also grab the entire url of the page it is on including the query string args with teh same script...try inserting a alert(location.href) >Also what other possibilities are there to exploit the cross site >scripting hole, for example if there was an error page that only the user >submitting the false url can see then what damage could be done? One of the things with cross site scripting is that it can fool people in visiting a trusted url. It may not even be an attack on your sight... just using your sight to help exploit someone. Somthign along the line of me having a link to your sight with some malicious hex encoded script on the end so that when the user visits it (and semi trusting that he is goign to some main stream sight) that he is actually exploited with the script i got your server to echo to him and it looks like at least from the user perspective that it is your fault... not a biggie from server security perspective...but what if the script wrote out a nice looking page of complete misinformation or some spammers ad..there goes your bandwidth or the possibility of people believing some info came from a trusted source.. imagine someone mailing students that they had to change passwords and directed them to a cross sight scripted form on one of your servers that submitted the info to another server? everythign would look like normal to the vast majority of users.
This archive was generated by hypermail 2b30 : Tue Oct 02 2001 - 14:50:59 PDT