WebApp Sec mailing list archives

XSS

From: John Madden <chiwawa999 () yahoo com>
Date: Tue, 10 Dec 2002 06:38:53 -0800 (PST)

Hello all,

Being new to XSS and seing alot of messages in the
last couple weeks on the subject got me wondering...

What is the real vulnerability if the site in
questions is vulnerable to XSS but does not let you
write any malicious scripts on the system, like
message board, forums etc... ? Can anything be done to
exploit XSS if the above scenario occurs ? I know it
depends on the web server, packages installed etc...
I'm asking in generaly is it possible ?

You can do the document.cookie and view your
cookie, that migth give a hint on the structure but...
or redirect yourself to another web site :) etc...

I've read the document on XSS by David Endler
http://www.idefense.com/papers.html but still have
some questions.
 
If possible, can the XSS guru's on the list shed some
light on the subject.

Thanks for your time,

Cheers


__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com

Current thread:

XSS John Madden (Dec 10)
- RE: XSS Eyal Udassin (Dec 10)
- Re: XSS Kevin Spett (Dec 10)
  - Re: XSS John Madden (Dec 10)
    - Re: XSS Kevin Spett (Dec 10)
    - Re: XSS Stephen de Vries (Dec 11)
    - Re: XSS Matthew Miller (Dec 11)
    - Re: XSS Jeff Williams @ Aspect (Dec 11)
    - Re: XSS Sverre H. Huseby (Dec 19)
    - Re: XSS Ed Tracy @ Aspect Security (Dec 11)
    - Re: XSS Matthew Miller (Dec 11)

(Thread continues...)