|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: rudi carell (rudicarell
hotmail.com)Date: Tue Oct 23 2001 - 15:27:04 CDT
hi Mark,
---cut here---
>Does anyone have a really good explanation of how cross site >scripting
>could
>work with no user intervention at all...I have seen lots of ways to >pass
>JavaScript like URL and Unicoded (and OWASP are writing them up) but >I
>haven't seen a good explanation of how it can be used on a totally
> >innocent
>user...all the exploits I have *seen* have involved first tricking >the
>target into clicking a hyperlink...
---cut here---
jeremiah should be the right man for this question :-)
but ..
a minimum of user input is always necessary!
at least a document carrying the malicious java-script has to be opened by
the victim (looking at his webmail-INBOX for example)!
then the attacker can do everything the victim is able to do with his client
(browser) without any further user input.
rC
securityfreefly.com
http://www.freefly.com/security/
_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]