Comments on: What XSS isn't

By: StumbleUpon

StumbleUpon — Sun, 01 Oct 2006 12:06:37 +0000

[...] Your page is now on StumbleUpon! For each appearance in your referral logs, one of our members has ’stumbled upon’ your site after clicking “Stumble!” on our toolbar to discover a new great site. Enter Your URL → [...]

By: Seth Woolley's Blog - Occasional Musings

Seth Woolley's Blog - Occasional Musings — Thu, 28 Sep 2006 20:41:26 +0000

[...] http://neosmart.net/blog/archives/194 [...]

By: Computer Guru

Computer Guru — Thu, 24 Aug 2006 08:42:37 +0000

[quote comment="3881"]Well picture this guys and gals. What if someone injected persistent XSS onto SUN’s webpage, that redirected all of the users to Microsoft.com ? Imagine the amount of money SUN would loose on such an attack. You wouldnt like to own stock at SUN then, would you?[/quote]
And how exactly is this fatal???
Especially as XSS normally relies on secrecy and subversion - this kind of thing would be fixed in 6 minutes tops.

QED..

By: dodo

dodo — Tue, 22 Aug 2006 14:26:28 +0000

Well picture this guys and gals. What if someone injected persistent XSS onto SUN’s webpage, that redirected all of the users to Microsoft.com ? Imagine the amount of money SUN would loose on such an attack. You wouldnt like to own stock at SUN then, would you?

By: about:cmlenz - [ANN] Markup

about:cmlenz - [ANN] Markup — Thu, 03 Aug 2006 22:43:42 +0000

[...] Automatic escaping of text. With most character-stream based template engines, whenever you forget to properly escape some string in the output a malicious user can find a way to abuse that as a vector for cross-site scripting (XSS) attacks. Trac had its share of such vulnerabilities in the past. Dangerous stuff, and often underestimated. [...]

By: ha.ckers.org web application security lab - Archive » JavaScript Malware Talk at Blackhat is a Success

Thu, 03 Aug 2006 18:59:54 +0000

[...] Using a combination of CSS, JavaScript, Java and images, you can detect the internal IP address, locate which servers the user has been on, detect what is running on them, and actually exploit them, even if they are behind a firewall and non-routable. Holy crap! Anyone who says XSS isn’t worth talking about really clearly doesn’t know what they’re talking about. Cross site scripting now has access to almost everything, everywhere. [...]

By: Dark Reading - Application and Perimeter Security - XSS Exposure - Security Blog

Dark Reading - Application and Perimeter Security - XSS Exposure - Security Blog — Thu, 13 Jul 2006 10:33:56 +0000

[...] JUNE 26, 2006 | 2:30 PM — There have been rumblings around the blogosphere about a June 22 post, What XSS isn’t. The author tries to make an argument that cross-site scripting (XSS) is not a product vulnerability but a by-product of Javascript. “What matters in the end is that these products aren’t ‘defective’ and not even truly insecure. They’ve been modified the way the language allows for them to be modified, no more no less,” the author claims. [...]

By: TheGoogleCache » Google Auctions XSS Proof of Concept

TheGoogleCache » Google Auctions XSS Proof of Concept — Mon, 10 Jul 2006 19:05:38 +0000

[...] After a recent article by the folks at NeoSmart.net http://neosmart.net/blog/archives/194 which seemingly downplayed the severity and danger posed by XSS (cross site scripting), I thought it pertinent to help elucidate just how powerful XSS can be. The vast majority of XSS proof-of-concepts are limited to simple javascript alerts. When visiting an XSS injected url, you see some pop up that warns you of the vulnerability. This is substantial enough for professionals to understand the severity of the injection, but to the average web user it seems no more dangerous than any other pop up they encounter. [...]

By: Computer Guru

Computer Guru — Wed, 05 Jul 2006 05:43:42 +0000

Hey Harky.

That’s true, WP used to have quite a few XSS vulnerabilities, and still does (as demonstrated above).

But that’s the missing the point of the article. XSS exists and it can be dangerous. But the extent of danger is exaggerated. Here we are at NST running WP - but we’re still up and running even with a few minor XSS holes.

By: harkey

harkey — Wed, 05 Jul 2006 03:02:37 +0000

You’re using wordpress, repeat you’re using wordpress! How can you talk like this about XSS. I’m no security expert but I’m smart enough to know that you are smoking from the wrong end of the pipe.

By: Digg, Slashdot, OSNews, and More! at The NeoSmart Files

Digg, Slashdot, OSNews, and More! at The NeoSmart Files — Sun, 02 Jul 2006 19:59:56 +0000

[...] If anyone is interested, the featured articles were “Windows Vista 5456 Released” on OSNews.com and Digg.com, “WinFS: What’s the Big Deal Anyway?” on Digg.com and OSNews.com, and “What XSS isn’t” on Slashdot.org. [...]

By: ESG Web Support and Consulting - What XSS isn�t - ESG Web Support Message Board

ESG Web Support and Consulting - What XSS isn�t - ESG Web Support Message Board — Thu, 29 Jun 2006 19:15:35 +0000

[...] What XSS isn�t - 2006/06/23 15:59 XSS is short for �cross-site scripting� which it really isn�t - but that�s a whole �nother story. Basically, in XSS �vulnerabilities� scripts on a page are used to �steal� information from other open browser windows or tabs. XSS refers to scripts embedded in a page that when activated on an end-users system can (but not necessarily) result in a leak of sensitive information.The problem isn�t so much in the attack itself as much as it is in the usage of the term. XSS is not a real security vulnerability in a product or script since it does not directly result in the loss of data integrity, but rather can be used as a tool in social engineering attacks and can never compromise the security of a server/host under any conditions nor that of an end-user on its own. XSS is not the problem. JavaScript is (just for the record, at NeoSmart we feel JavaScript is more of a headache than it is a life-saver..), and XSS is but a result of the (many) inherint security holes in JavaScript and not in the package itself! XSS is a tool like mentioned before, nothing more nothing less. But that fact has implications that render the entire foundation of XSS �insecurities� worthless.Sites with XSS �vulnerabilities� aren�t insecure. They�re absoloutely no different than any other site - except that a user can manipulate the way content displays on an �insecure� page (usually by appending something to the URL or submitting a comment or other user-generated content on the page in question) and make it pose a possible risk to viewers. It is of the utmost importance to note that a page that has an �XSS vulnerablity� is no more dangerous than visiting a random result generated by a Google search - something that users do all the time.Sites that have been modified to pose such a risk can only be as dangerous as the scripting language used allows them to be - and as lethal as the browser being used lets them be. When a page has a potential XSS vulnerability, that means nothing. Such a page needs to be first manipulated in a way that embeds a script that can �steal� content from the end-users PC, then it must be sent to the user and by means of social engineering convince the user to open the URI. After that, the attacker has to rely on the user having the information he or she would like to �steal� available, and that the browser doesn�t block such an attack. What matters in the end is that these products aren�t �defective� and not even truly insecure. They�ve been modified the way the language allows for them to be modified, no more no less.http://neosmart.net/blog/archives/194 [...]

By: Andy

Andy — Thu, 29 Jun 2006 00:50:54 +0000

Xss is very dangerous and totally fucking underhyped . Stolen cookies gives access to a logged in user. Give the admin the link and you’ll have access to the site if he has some sort of admin webinterface.

By: The SPI laboratory

The SPI laboratory — Wed, 28 Jun 2006 19:06:38 +0000

Common Misconceptions in Web Application Security, Part 2…

In Part 1 of this thread, I mentioned how there were a number of people that had misconceptions about……

By: What cross-site scripting isn�t - IT Observer

What cross-site scripting isn�t - IT Observer — Sun, 25 Jun 2006 14:57:46 +0000

[...] What cross-site scripting isn�tFriday, 23 June 2006 04:50 ESTXSS is another one of those buzzwords. You know what we�re talking about, the ones like CSS, Web 2.0, DHTML, AJAX, Google, and the rest. Except it�s dangerous. It�s dangerous because XSS is taken far out of proportions than it should be (just like the rest of the words on the list), but in XSS� case, it can make perfect scripts look like Swiss cheese, even if they�re not. XSS is short for �cross-site scripting� which it really isn�t - but that�s a whole �nother story. Basically, in XSS �vulnerabilities� scripts on a page are used to �steal� information from other open browser windows or tabs. XSS refers to scripts embedded in a page that when activated on an end-users system can (but not necessarily) result in a leak of sensitive information. The problem isn�t so much in the attack itself as much as it is in the usage of the term. XSS is not a real security vulnerability in a product or script since it does not directly result in the loss of data integrity, but rather can be used as a tool in social engineering attacks and can never compromise the security of a server/host under any conditions nor that of an end-user on its own.Read Full Story [...]