As an example of what one can do with XSS, I was reviewing a banking site which had the following sequence:
User registers, providing their account details, locations, etc. The registration is reviewed by a supervisor (different privilege levels), who contacts the user telephonically to authenticate them, before activating the account. The user then logs on, and accesses their accounts. I was able to insert enough scripting into the personal data to automatically activate the account as soon as it was viewed, without the supervisor needing to do it manually. In fact, I was able to become a supervisor myself, and add any account I liked. Fortunately I caught this one in the testing phase :-) That sort of thing can make quite a powerful demonstration of why input filtering (more correctly, OUTPUT filtering) is so important. Rogan -----Original Message----- From: Jeremy Junginger [mailto:[EMAIL PROTECTED]] Sent: 06 January 2003 07:01 PM To: pen-test Subject: XSS LAB DEMO IDEAS After reading the papers by iDefense and the paper at http://www.technicalinfo.net/papers/CSS.html , I would like to put a working example together to familiarize our web developers with XSS vulnerabilities and their impact on the web site (and business). I would like to poll the group for interesting ways to demonstrate these vulnerabilities in a lab environment. Thanks for taking the time to give your input. -Jeremy ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
