Paper: The Anatomy of Cross Site Scripting

[Gavin Zuchlinski <gzuchlinski () pgsit org>]

Hi,
I recently wrote a paper about fully attacking cross site scripting:

"Cross site scripting (XSS) flaws are a relatively common issue in web 
application security, but they are still extremely lethal. They are unique in 
that, rather than attacking a server directly, they use a vulnerable server 
as a vector to attack a client. This can lead to extreme difficulty in 
tracing attackers, especially when requests are not fully logged (such as 
POST requests). Many documents discuss the actual insertion of HTML into a 
vulnerable script, but stop short of explaining the full ramifications of 
what can be done with a successful XSS attack.  While this is adequate for 
prevention, the exact impact of cross site scripting attacks has not been 
fully appreciated.  This paper will explore those possibilities."
The paper can be found at http://libox.net/xss_anatomy.php
(my apologies in advance about posting to multiple lists)

-Gavin
http://libox.net