('binary' encoding is not supported, stored as-is) In-Reply-To: <20020429183257.8001.qmailat_private> <quote src=http://httpd.apache.org/info/css-security> Q: Why the name "Cross Site Scripting"? A: This issue isn't just about scripting, and there isn't necessarily anything cross site about it. So why the name? It was coined earlier on when the problem was less understood, and it stuck. Believe me, we have had more important things to do than think of a better name. </quote> IMHO the "cross site" nature of XSS comes from the fact that you are forwarding the trust level of one site to another (from vuln site to attacker’s site). This is the case in well known and common "transient XSS". The case you discuss..."When one puts a javascript in a message"...or injecting any attacker defined content in general, is a "permanent XSS". All XSS attacks are derived from these two basic types. As marc from apache.org points out, the term isn’t well named…for a various number of reasons, but it just stuck. So basicly don’t worry about the messed up nomenclature....just keep putting out good Advisories frog frog!! Lata, -Slow2Show- University of Florida
This archive was generated by hypermail 2b30 : Mon Apr 29 2002 - 19:01:35 PDT