"b0iler _" <b0ilerhotmail.com> writes:

Sorry for the late reply.

> "Cross-site scripting (XSS) is a threat where the attacker can
> inject code into a Web application which gets executed at the
> visitor site. This is possible whenever the input of the user gets
> displayed on the Web site again, for example in guest books."
>
> If the scripting is printed into a file, or is staticly put onto a
> webpage then it is not cross site scripting, but instead script
> injection. There is a line between the two and many people mistake
> them. It would be kind of funny if all defacements were classified as
> cross site scripting.

Agreed. I think the wording is quite clear on this, isn't it?

> I would also say that another negitive side of this would be that you
> don't always need to filter those characters. Sometimes filtering < >
> will do little good, as you discribed in this example:
>
> str=Welcome! );location.href= http://www.patrice.ch/ ;//

Agreed. I have also made it clear in that paragraph.

> Encoding:
> things like %xx can evade string filters. Convert these to ascii
> before filtering strings. Other encoding techniques may be used.

Here I want to ask the mailing list: Is it possible to exploit this in
ASP code? I have tried a bit with it, and didn't find anything. If it
*is* possible to exploit this, how do I protect myself correctly
against it?

> Unknown places where scripts can execute:
> some people do not know all the possible places one can execute
> scripting. You may filter " but <img src="$userinput"> is still
> vulnerable to script execution.

Thank you for that hint, I should mention it.

Bye
Patrice

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]