| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <200307231505.55334.sam@reefedge.com> From: sam at reefedge.com (Sam Baskinger) Subject: Search Engine XSS -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Not speaking to these specific vulnerabilities, XSS attacks in general, let you masquerade info as being legitimate data from the server. For example, you can present the user with an error page which LOOKS like a login page with the method in the HTML form being to a malicious data collector. One of the original example of XSS was one user gave a link on his webpage which to a link under the domain nytimes.com which which clicked presented the user with a bogus story. The content was that of the exploiter's choosing but it was delivered by the nytimes domain. Thus, the exploit moves across web sites. So, the impact varries a great deal depending on context and the waryness of the users. If the web browser tells you that the page returns code is HTML 403, don't go typing your password into any forms presented on that page. :-) Hope this is helpful. Sam On Wednesday 23 July 2003 14:02, Shanphen Dawa wrote: > Yes but what affect does this have on the server? How does it comprimise > security? Can you use this to DoS the server? Can you use this to gain > access to areas on the server otherwise not available? > > > On Wed, 23 Jul 2003 02:18:05 -0700 > > "morning_wood" <se_cur_ity@...mail.com> wrote: > > since were on the subject now... ill clear up my backlog... > > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQE/HtySuabcSIn58XwRAtjsAJ40Za3RgcojJRyy2dsRfHBn67eQcgCgv16A OA+YEV+7S1+3tF5AXSmqGb4= =z4dQ -----END PGP SIGNATURE-----
Powered by blists - more mailing lists