Full Disclosure mailing list archives
Re: excessive xss vulnerabilities
From: bugtraq () cgisecurity net
Date: Tue, 9 May 2006 10:37:45 -0400 (EDT)
Interesting, a JS keylogger! You should use XMLHTTP to post the info...
A presentation by Jeremiah Grossman at blackhat last year walked through installing a keylogger and using AJAX (HTMLHTTP) to not only record what the user was doing, but also interactively feed them new payloads. - zeno http://www.cgisecurity.com/ Web Security news and More http://www.cgisecurity.com/index.rss [RSS Feed]
________________________________ From: full-disclosure-bounces () lists grok org uk [mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of Christian Swartzbaugh Sent: 09 May 2006 00:35 To: full-disclosure () lists grok org uk Subject: [Full-disclosure] excessive xss vulnerabilities there is a high volume of xss vulnerabilities on this list. take the next step to disclose why xss important for the affected program. for instance, creating a test case that does something privileged or malicious towards a visitor. in attempting to create a keystroke logger in javascript i've found it drops random keystrokes (i think its a speed problem). and i would be interested in seeing more malicious javascript. again please justify why xss is valuable in disclosures of these vulnerabilties even if its just a cookie stealer, please show why an attacker would want those cookies or how he/she could use them to create a security issue.=20 thanks feofil ------_=_NextPart_001_01C67343.30812B54 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META http-equiv=3DContent-Type content=3D"text/html; = charset=3Dus-ascii"> <META content=3D"MSHTML 6.00.2900.2873" name=3DGENERATOR></HEAD> <BODY> <DIV dir=3Dltr align=3Dleft><FONT face=3DArial color=3D#0000ff = size=3D2><SPAN=20 class=3D903053208-09052006>Interesting, a JS keylogger! You should use = XMLHTTP to=20 post the info...</SPAN></FONT></DIV><BR> <DIV class=3DOutlookMessageHeader lang=3Den-us dir=3Dltr align=3Dleft> <HR tabIndex=3D-1> <FONT face=3DTahoma size=3D2><B>From:</B> = full-disclosure-bounces () lists grok org uk=20 [mailto:full-disclosure-bounces () lists grok org uk] <B>On Behalf Of = </B>Christian=20 Swartzbaugh<BR><B>Sent:</B> 09 May 2006 00:35<BR><B>To:</B>=20 full-disclosure () lists grok org uk<BR><B>Subject:</B> [Full-disclosure] = excessive=20 xss vulnerabilities<BR></FONT><BR></DIV> <DIV></DIV>there is a high volume of xss vulnerabilities on this list. = take the=20 next step to disclose why xss important for the affected program. for = instance,=20 creating a test case that does something privileged or malicious towards = a=20 visitor. in attempting to create a keystroke logger in javascript i've = found it=20 drops random keystrokes (i think its a speed problem). and i would be = interested=20 in seeing more malicious javascript. <BR><BR>again please justify why = xss is=20 valuable in disclosures of these vulnerabilties<BR>even if its just a = cookie=20 stealer, please show why an attacker would want those cookies or how = he/she=20 could use them to create a security issue.=20 <BR><BR>thanks<BR>feofil<BR></BODY></HTML> ------_=_NextPart_001_01C67343.30812B54-- --===============0551646189== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ --===============0551646189==--
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- excessive xss vulnerabilities Christian Swartzbaugh (May 08)
- Re: excessive xss vulnerabilities n3td3v (May 08)
- <Possible follow-ups>
- RE: excessive xss vulnerabilities Edward Pearson (May 09)
- Re: excessive xss vulnerabilities bugtraq (May 09)