Re: XSS vulnerability on Apache Tomcat server

From: Muhammad Faisal Rauf Danka (mfrd@attitudex.com)
Date: 08/21/02 

Date: Wed, 21 Aug 2002 03:17:03 -0700 (PDT)
From: Muhammad Faisal Rauf Danka <mfrd@attitudex.com>
To: pen-test@securityfocus.com

First of all, read this :
http://www.cgisecurity.net/articles/xss-faq.shtml

Then if you findout that the webserver itself is vulnerable to XSS, which i doubt.
You might have found a CGI hosted on the server vulnerable to XSS, in any case once you find out for sure, then see if that website/CGI is responsible for issuing cookies or for the Authentication of cookies.
If it is not, then your XSS alert is going to be an alert only in your Final Report, and you could say that the bad-coding or non-security conscious coding practices have been exercised during coding of CGI's.

Regards
--------
Muhammad Faisal Rauf Danka

Head of GemSEC / Chief Technology Officer
Gem Internet Services (Pvt) Ltd.
web: www.gem.net.pk
Key Id: 0x784B0202
Key Fingerprint: 6F8C EDCF 6C6E 06A5 48D7 6A20 C592 484B
784B 0202

_____________________________________________________________
---------------------------
[ATTITUDEX.COM]
http://www.attitudex.com/
---------------------------

_____________________________________________________________
Promote your group and strengthen ties to your members with email@yourgroup.org by Everyone.net http://www.everyone.net/?btn=tag

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Relevant Pages

  • Re: Cross Site Scripting Vulnerabilities - XSS
    ... > I am kinda new to XSS, but am intrigued by how it works. ... >> these vulnerabilities that they are happy to ... >> This list is provided by the SecurityFocus Security Intelligence Alert ... For more information on SecurityFocus' SIA service which ...
    (Pen-Test)
  • RE: Cross Site Scripting Vulnerabilities - XSS
    ... Cross Site Scripting Vulnerabilities - XSS ... >> This list is provided by the SecurityFocus Security Intelligence ... For more information on SecurityFocus' SIA service which ...
    (Pen-Test)
  • Re: Cross Site Scripting Vulnerabilities - XSS
    ... Cross Site Scripting Vulnerabilities - XSS ... >>> This list is provided by the SecurityFocus Security Intelligence ... For more information on SecurityFocus' SIA service which ...
    (Pen-Test)
  • Scanners and unpublished vulnerabilities - Full Disclosure
    ... I'm of the opinion it's a ... Alert Scheme the folks over at NGSSoftware announced yesterday. ... vulnerabilities they have notified vendors about. ... This list is provided by the SecurityFocus Security Intelligence Alert ...
    (Pen-Test)
  • Re: Cross Site Scripting Vulnerabilities - XSS
    ... Cross Site Scripting Vulnerabilities - XSS ... >> This list is provided by the SecurityFocus Security Intelligence Alert ... For more information on SecurityFocus' SIA service which ...
    (Pen-Test)