Evolution of Cross-Site Scripting AttacksFrom: David Endler (firstname.lastname@example.org)
- Previous message: email@example.com: "route of #phrack is a funny man!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 20 May 2002 16:52:34 -0000 From: David Endler <firstname.lastname@example.org> To: <email@example.com>
It seems today that Cross-Site Scripting (XSS) holes in popular
web applications are being discovered and disclosed at an ever-
increasing rate. Just glancing at the Bugtraq security mailing
list archives at http://online.securityfocus.com/archive/1 over
the first half of 2002 shows countless postings of XSS holes in
widely used websites and applications.
This new iDEFENSE Labs paper predicts that fully and semi-
automated techniques will aggressively begin to emerge for
targeting and hijacking web applications using XSS, thus
eliminating the need for active human exploitation. Some of
these techniques are detailed along with solutions and
workarounds for web application developers and users. It is
available at http://www.idefense.com/XSS.html for download.
To gain a good foundation on XSS from a beginner's perspective,
zeno of cgisecurity.com has also just released a great FAQ
today available at:
Some of the concepts in the iDEFENSE Labs paper may be better
understood after reading this FAQ.
David Endler, CISSP
Director, iDEFENSE Labs
14151 Newbrook Drive
Chantilly, VA 20151