Re: cross site scripint and post form

From: Jeremiah Grossman (jeremiah@whitehatsec.com)
Date: 10/12/01

• Previous message: Pradeep Kumar: "RE: Syn Flood generator / Dos Attack generator"
• In reply to: Carbone: "cross site scripint and post form"
• Next in thread: teo@gecadsoftware.com: "Re: cross site scripint and post form"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Message-ID: <3BC72309.C720F5DB@whitehatsec.com>
Date: Fri, 12 Oct 2001 10:06:17 -0700
From: Jeremiah Grossman <jeremiah@whitehatsec.com>
To: Carbone <carbonate@ifrance.com>
Subject: Re: cross site scripint and post form

You may be confusing some issues here. Cross-Site Scripting
occurs when third party or user supplied data is displayed within
a web environment without being properly handled. It make do
difference if the data came from a form, cookie, or even which
HTTP request method was used.

CSS is the simply the instance of HTML/JavaScript from an
outside source within a web environment, executing with the
same privileges and the hosting domain.

There currently are a few ways to combat CSS and its effects.
The most widely used appears to be search/replace in strings.

Hope this answers your question

Jeremiah-

Carbone wrote:

> Hello everybody
>
> A little question about cross site scripting. It's very easy to exploit this
> vulnerability with a "get" form : we just have to send at the victim a link
> like http://www.bla.com/foo.pl?blabla="attacker script". Then foo.pl output
> is the attacker script, and this script is executed on the victim navigator.
> But how to exploit this hole if the form of www.bla.com make a post request
> instead of a get request ? With a post request, we are not able to make the
> url like above.
>
> We see everywhere on the web that the solution against cross site scripting
> is to escape the special characters of the form. But maybe it's more easy to
> avoid GET forms ? Or maybe i miss something, and it's possible to exploit
> POST forms...
>
> What is your opinion about that ?
>
> Thank you

---

• Previous message: Pradeep Kumar: "RE: Syn Flood generator / Dos Attack generator"
• In reply to: Carbone: "cross site scripint and post form"
• Next in thread: teo@gecadsoftware.com: "Re: cross site scripint and post form"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Trojan-Downloader.Small - Howd I get it ? ... all preventative measures fail from time to time and whitelisting active content is no exception when you consider things like cross site scripting... ... Yeah, one of my favorite web sites got hacked and tried to download something to my computer. ... (alt.comp.anti-virus) Re: cross site scripint and post form ... occurs when third party or user supplied data is displayed within ... > A little question about cross site scripting. ... With a post request, we are not able to make the ... (Security-Basics) Re: Cross site scripting vulnerabilities? ... Is this an example of Cross site scripting??? ... So far I understand the meaning of cross site scripting as embedding the ... email to him,for example)to steal cookie. ... (Security-Basics) Re: cross site scripting ? ... Why the name "Cross Site Scripting"? ... | necessarily anything cross site about it. ... I think the misuse of the term relates to the CERT advisory ... One way exploits browser vulnerabilities, ... (Vuln-Dev)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > securityfocus  > security-basics  > 2001-10