For clarification, are you talking about a targeted attack, or simply getting CSS to work on an unsuspecting user? Embedding a script into a guestbook that allows HTML, for example, could cause CSS to work on casual browsers, without requiring them to click on a link that has JavaScript embedded in it. Is this what you mean?

-Jason

-----Original Message-----
From: Mark Curphey [mailto:markcurphey.com]
Sent: Tuesday, October 23, 2001 7:31 AM
To: webappsecsecurityfocus.com
Subject: Cross Site Scripting with No User Intervention

Does anyone have a really good explanation of how cross site scripting could
work with no user intervention at all...I have seen lots of ways to pass
JavaScript like URL and Unicoded (and OWASP are writing them up) but I
haven't seen a good explanation of how it can be used on a totally innocent
user...all the exploits I have *seen* have involved first tricking the
target into clicking a hyperlink...

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]