Evolution of Cross-Site Scripting Attacks

From: David Endler (dendler@idefense.com)
Date: 05/20/02


Date: 20 May 2002 16:52:34 -0000
From: David Endler <dendler@idefense.com>
To: <bugtraq@securityfocus.com>

It seems today that Cross-Site Scripting (XSS) holes in popular
web applications are being discovered and disclosed at an ever-
increasing rate. Just glancing at the Bugtraq security mailing
list archives at http://online.securityfocus.com/archive/1 over
the first half of 2002 shows countless postings of XSS holes in
widely used websites and applications.
 
This new iDEFENSE Labs paper predicts that fully and semi-
automated techniques will aggressively begin to emerge for
targeting and hijacking web applications using XSS, thus
eliminating the need for active human exploitation. Some of
these techniques are detailed along with solutions and
workarounds for web application developers and users. It is
available at http://www.idefense.com/XSS.html for download.

To gain a good foundation on XSS from a beginner's perspective,
zeno of cgisecurity.com has also just released a great FAQ
today available at:
 http://www.cgisecurity.com/articles/xss-faq.shtml

Some of the concepts in the iDEFENSE Labs paper may be better
understood after reading this FAQ.

-dave

David Endler, CISSP
Director, iDEFENSE Labs
14151 Newbrook Drive
Suite 100
Chantilly, VA 20151
voice: 703-344-2632
fax: 703-961-1071

dendler@idefense.com
www.idefense.com



Relevant Pages

  • Evolution of Cross-Site Scripting Attacks
    ... It seems today that Cross-Site Scripting (XSS) holes in popular ... web applications are being discovered and disclosed at an ever- ... zeno of cgisecurity.com has also just released a great FAQ ...
    (Vuln-Dev)
  • Re: [Full-disclosure] on xss and its technical merit
    ... making up a fake resume like i made a fake company so I ignored them... ... compared to other vulnerabilities xss is way down on the scale ... Imho the pentesting will move day by day closer to web applications ... Hosted and sponsored by Secunia - http://secunia.com/ ...
    (Full-Disclosure)
  • Re: [Full-disclosure] on xss and its technical merit
    ... you see you are arguing how useful xss can be for an attacker, ... Imho the pentesting will move day by day closer to web applications ... flaws testing, since the web applications are self written by webmasters ... Reading a report from zone-h i read that the most effective hacking ...
    (Full-Disclosure)
  • Re: [Full-disclosure] Re: Google is vulnerable from XSS attack
    ... Have you found any XSS holes? ... ok either you are a good friend of him or you are just n3td3v under an anonymous handle. ... since judging by your comments you arent much into security at all. ...
    (Full-Disclosure)
  • Re: [Full-disclosure] New vulnerabilities in eSitesBuilder
    ... Be attentive - I wrote about different holes. ... for company :-) about earlier-mentioned XSS (so both holes in this script ... developers used the same code for forget password functionality for users ... New vulnerabilities in eSitesBuilder ...
    (Full-Disclosure)