RE: CSS, CSS & let me give you some more CSS

• Previous message: spi labs: "SPI Labs SQL Injection Whitepaper Released"
• In reply to: M. Burnett: "Re: CSS, CSS & let me give you some more CSS"
• Next in thread: Sverre H. Huseby: "Re: CSS, CSS & let me give you some more CSS"
• Next in thread: Slow2Show: "Re: CSS, CSS & let me give you some more CSS"
• Reply: Sverre H. Huseby: "Re: CSS, CSS & let me give you some more CSS"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I can't help feel the importance of these cross-site-scripting attacks is
over-emphasised.

1. You can grab a session cookie which can give you a hijacked login.
Obviously not good but also not that easy to implement as it needs quite
precise timing. Also the rightful session owner (even if unsophisticated
user) is immediately going to notice something funny is happening when his
or her genuine session blows away.

2. Gives increased scope to effect script attacks against known holes,
by-passing "security zone" protections in IE. Hmm well OK, there may be a
few people who fit into profile of "savvy enough to manage sites and zones,
but who don't install MS browser patches."

Is there anything else, I don't think so. I'm not saying the problem doesn't
exist and can't be exploited, only that maybe it doesn't rate so much heat
and light compared to many more obvious risks.

• Next message: B.K. DeLong: "Black Hat Windows Security Keynotes announced"
• Previous message: spi labs: "SPI Labs SQL Injection Whitepaper Released"
• In reply to: M. Burnett: "Re: CSS, CSS & let me give you some more CSS"
• Next in thread: Sverre H. Huseby: "Re: CSS, CSS & let me give you some more CSS"
• Next in thread: Slow2Show: "Re: CSS, CSS & let me give you some more CSS"
• Reply: Sverre H. Huseby: "Re: CSS, CSS & let me give you some more CSS"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Jan 31 2002 - 14:41:16 PST