Re: [Full-Disclosure] Search Engine XSS
From: northern snowfall (dbailey27_at_ameritech.net)
To: Shanphen Dawa <firstname.lastname@example.org> Date: Wed, 23 Jul 2003 14:08:08 -0500
>Yes but what affect does this have on the server? How does it comprimise security? Can you use this to DoS the server? Can you use this to gain access to areas on the server otherwise not available?
Sometimes server security isn't the issue. Client trust is just
as important as server or network security. If an attacker can
create an instance of psychological mistrust you're carrying
out a psychological denial of service.
Unfortunately, a vast amount of our average users are
susceptible to this kind of attack. From a business sense
this is still a serious problem. If this scenario were
played out in a clever fashion, stock integrity of a given
company could be compromised.
One could almost classify this as a strange route toward
corporate espionage or corporate warfare strategy.
Security researchers might be smart enough to see through
these kinds of tactics, but can the general public? Don't
forget, the public is the end user we are supposedly
looking out for. Thus, their interests would not make
light of a vulnerability such as XSS, despite how simple
it may be to carry out the exploit.
Full-Disclosure - We believe in it.