On Fri, 1 Feb 2002, Brian McWilliams wrote: > At 03:09 PM 1/31/2002, Joe Harrison wrote: > >I can't help feel the importance of these cross-site-scripting attacks is > >over-emphasised. > > As others have pointed out, CSS bugs can be used to do some pretty > interesting things. > > FYI, the source De Vitry injected into the news site pages is here: > http://devitry.com/mon > More interesting are cases where you can actually inject it into a cookie that the site uses to make it persist. Rare perhaps, but it has a good history because Microsoft themself created a good demo of this exact technique a couple of years back when they first brought forward the "new age" of CSS (which resulted in the CERT advisory)... was an exploit that set a msnbc.com cookie that made the news story on the msnbc.com home page (either that or some other msn news site, would have to check my notes) be a bogus attacker-specified story, even if you went back there by entering "http://www.msnbc.com/" directly or closed and restarted your browser before returning. There are a lot of issues. Many of them are fairly low risk. But it is important that people don't get tricked into thinking they are all low risk, since this is a massive issue. IMHO, one of the biggest ongoing issues with the deployment of web based applications.
This archive was generated by hypermail 2b30 : Fri Feb 01 2002 - 19:08:18 PST