('binary' encoding is not supported, stored as-is) In-Reply-To: <20020429183257.8001.qmailmail.securityfocus.com>

<quote src=http://httpd.apache.org/info/css-security>
Q: Why the name "Cross Site Scripting"?
A: This issue isn't just about scripting, and there isn't
necessarily anything cross site about it. So why the name?
It was coined earlier on when the problem was less
understood, and it stuck. Believe me, we have had more
important things to do than think of a better name.
</quote>

IMHO the "cross site" nature of XSS comes from the fact
that you are forwarding the trust level of one site to
another (from vuln site to attacker’s site). This is the
case in well known and common "transient XSS". The case you
discuss..."When one puts a javascript in a message"...or
injecting any attacker defined content in general, is
a "permanent XSS". All XSS attacks are derived from these
two basic types. As marc from apache.org points out, the
term isn’t well named…for a various number of reasons, but
it just stuck.

So basicly don’t worry about the messed up
nomenclature....just keep putting out good Advisories frog
frog!!

Lata,

-Slow2Show-
University of Florida

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]