Re: cross site scripting ?
From: Sverre H. Huseby (shh@thathost.com)Date: 04/30/02
- Previous message: alrferreira@carol.com.br: "Re: Security Research Group"
- In reply to: Slow2Show: "Re: cross site scripting ?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 30 Apr 2002 12:55:04 +0200 From: "Sverre H. Huseby" <shh@thathost.com> To: Slow2Show <sl2sho@yahoo.com>
[Slow2Show]
| Q: Why the name "Cross Site Scripting"?
| A: This issue isn't just about scripting, and there isn't
| necessarily anything cross site about it. So why the name?
| It was coined earlier on when the problem was less
| understood, and it stuck.
I think the misuse of the term relates to the CERT advisory
CA-2002-02, "Malicious HTML Tags Embedded in Client Web Requests" at
http://www.cert.org/advisories/CA-2000-02.html
The advisory talks about several ways to include script code in web
pages. One way exploits browser vulnerabilities, in which browsers
fail to make sure documents of different origins are not allowed to
interfer with one another. The CERT advisory calls this particular
problem "Cross-site Scripting". For some reason, the term is now used
for every problem outlined by the CERT advisory (and then some).
I may, of course, be totally wrong. :)
Sverre.
-- shh@thathost.com Computer Geek? Try my Nerd Quiz http://shh.thathost.com/ http://nerdquiz.thathost.com/
- Previous message: alrferreira@carol.com.br: "Re: Security Research Group"
- In reply to: Slow2Show: "Re: cross site scripting ?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
