> In order for a site to be susceptible to XSS attacks, the site needs to
> accept user input and repost that user input. This would allow for the
> two ingredients of XSS: 1. Receiving malicious code from an attacker. 2.
> Delivering that malicious code to a valid user. Accordingly, the answer
> is NO. Your site should be safe from XSS

I haven't been following this thread, so apologies if someone has already
covered this.

Although that's true, strictly speaking, don't let it lull you into a false
sense of security - A site that takes input without reposting it can still
be susceptible to a wide variety of attacks along the lines of SQL or
special character injection. For example, a site that had an SQL database
set up to record web statistics could be fed a malicious HTTP_REFERER field.

I said 'strictly speaking' above, since although this isn't XSS, it
certainly falls under the same bracket (malicious input and/or lack of input
validation)

Harry

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]