Real World XSS
Author: David Zimmer <dzzie@yahoo.com>
Site: http://sandsprite.com/Sleuth
Article Downloads: small_xss_utilities.zip
Section 1 - Introduction
- Prerequisites
- About the Article Downloads
- Impacts (Attack Scenario)
- Impact Summary
Section 2 - Methods of Injection, and filtering
- Injection Points
- Injection methods and filtering
- XSS scripting tips and tricks
Section 3 - Inside the mind, mental walk along of a XSS hack
Section 4 - Conclusion
Conclusion
By now I hope you all understand that Cross sight scripting is not as trivial
a 'security' hole as it appears on the surface as all of the simple demos
people post as examples.
Identifying Cross Sight Scripting is the easy part.
Foreseeing its possibilities and knowing how to use it to impact a user base
is the hard part, and is the part that is not widely discussed.
With XSS so widely written about and so misunderstood alot of people have walked away
with the false conclusion that it is an annoyance and not a threat.
The purpose of this paper is not to arm a hoard of script kiddies with a bunch of
proven tricks, but is to try to instill a sense as its actual dangers and impacts
with those who are in the position to do something about it.
As with all knowledge, it can be a double sided sword. As rfp's paper on Sql injection
techniques brought out the dangers of Sql injection to the public I too hope that
this paper may have a similar effect and raising awareness and helping people to
limit their own (and their surfer populations) exposure.
You may not loose your server to XSS attacks, it may not DOS your network, but you
may loose your users, and you may be the reason your clients lost their credit card
numbers, fell victim to identity theft or had their accounts tampered with.
Like this paper? Want to read more?
Check out the site for more Web Application Security related papers and specialized Web App auditing tools.
|