Re: [Full-Disclosure] Search Engine XSS

From: northern snowfall (dbailey27_at_ameritech.net)
Date: 07/23/03

  • Next message: Corey Hart: "Re: [Full-Disclosure] NEW windows password encryption flaw.."
    To: Shanphen Dawa <list@hardlined.com>
    Date: Wed, 23 Jul 2003 14:08:08 -0500
    
    

    >
    >
    >Yes but what affect does this have on the server? How does it comprimise security? Can you use this to DoS the server? Can you use this to gain access to areas on the server otherwise not available?
    >
    Sometimes server security isn't the issue. Client trust is just
    as important as server or network security. If an attacker can
    create an instance of psychological mistrust you're carrying
    out a psychological denial of service.

    Unfortunately, a vast amount of our average users are
    susceptible to this kind of attack. From a business sense
    this is still a serious problem. If this scenario were
    played out in a clever fashion, stock integrity of a given
    company could be compromised.

    One could almost classify this as a strange route toward
    corporate espionage or corporate warfare strategy.

    Security researchers might be smart enough to see through
    these kinds of tactics, but can the general public? Don't
    forget, the public is the end user we are supposedly
    looking out for. Thus, their interests would not make
    light of a vulnerability such as XSS, despite how simple
    it may be to carry out the exploit.

    Don

    http://www.7f.no-ip.com/~north_

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: Corey Hart: "Re: [Full-Disclosure] NEW windows password encryption flaw.."