Evolution of Cross-Site Scripting Attacks

[David Endler <dendler () idefense com>]

It seems today that Cross-Site Scripting (XSS) holes in popular 
web applications are being discovered and disclosed at an ever-
increasing rate. Just glancing at the Bugtraq security mailing 
list archives at http://online.securityfocus.com/archive/1 over 
the first half of 2002 shows countless postings of XSS holes in 
widely used websites and applications. 
 
This new iDEFENSE Labs paper predicts that fully and semi-
automated techniques will aggressively begin to emerge for 
targeting and hijacking web applications using XSS, thus 
eliminating the need for active human exploitation. Some of 
these techniques are detailed along with solutions and 
workarounds for web application developers and users.  It is 
available at http://www.idefense.com/XSS.html for download.

To gain a good foundation on XSS from a beginner's perspective, 
zeno of cgisecurity.com has also just released a great FAQ 
today available at:
 http://www.cgisecurity.com/articles/xss-faq.shtml  

Some of the concepts in the iDEFENSE Labs paper may be better 
understood after reading this FAQ.

-dave

David Endler, CISSP
Director, iDEFENSE Labs
14151 Newbrook Drive
Suite 100
Chantilly, VA 20151
voice: 703-344-2632
fax: 703-961-1071

dendler () idefense com
www.idefense.com