Briefly, here are two methods of doing cross-site scripting
automatically from a Web page or HTML email message:

   1. JavaScript can simulate a click on a link using an expression
like:

       location.href = "The bad CSS URL";

   2. The bad URL can be used in a HTML <IFRAME> tag.

Richard

-----Original Message-----
From: Mark Curphey [mailto:markcurphey.com]
Sent: Tuesday, October 23, 2001 10:31 AM
To: webappsecsecurityfocus.com
Subject: Cross Site Scripting with No User Intervention

Does anyone have a really good explanation of how cross site scripting
could work with no user intervention at all...I have seen lots of ways
to pass JavaScript like URL and Unicoded (and OWASP are writing them up)
but I haven't seen a good explanation of how it can be used on a totally
innocent user...all the exploits I have *seen* have involved first
tricking the target into clicking a hyperlink...

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]