Evolution of Cross-Site Scripting Attacks

From: David Endler (dendler@idefense.com)
Date: 05/20/02

Date: 20 May 2002 16:52:34 -0000
From: David Endler <dendler@idefense.com>
To: <bugtraq@securityfocus.com>

It seems today that Cross-Site Scripting (XSS) holes in popular
web applications are being discovered and disclosed at an ever-
increasing rate. Just glancing at the Bugtraq security mailing
list archives at http://online.securityfocus.com/archive/1 over
the first half of 2002 shows countless postings of XSS holes in
widely used websites and applications.
This new iDEFENSE Labs paper predicts that fully and semi-
automated techniques will aggressively begin to emerge for
targeting and hijacking web applications using XSS, thus
eliminating the need for active human exploitation. Some of
these techniques are detailed along with solutions and
workarounds for web application developers and users. It is
available at http://www.idefense.com/XSS.html for download.

To gain a good foundation on XSS from a beginner's perspective,
zeno of cgisecurity.com has also just released a great FAQ
today available at:

Some of the concepts in the iDEFENSE Labs paper may be better
understood after reading this FAQ.


David Endler, CISSP
Director, iDEFENSE Labs
14151 Newbrook Drive
Suite 100
Chantilly, VA 20151
voice: 703-344-2632
fax: 703-961-1071