Cross-Site Scripting - an industry-wide problem
===
In early december i started a series of tests to find Cross-Site Scripting
(XSS) vulnerabilities. It quickly turned out that the majority of all major
websites suffer some kind of XSS. This is a
quite commom, funny because xss can be used in PHISHING attacks.
instead of alert blah try some html redirects to a hosted site with a fake
login
spoofing the original content ( a login page ) and capture username/password
then pass them to the real login page.
or better yet... xss dos attacks,
Message -
From: morning_wood [EMAIL PROTECTED]
To: mikx [EMAIL PROTECTED]; full-disclosure@lists.netsys.com;
bugtraq@securityfocus.com; [EMAIL PROTECTED]
Sent: Friday, December 24, 2004 07:42
Subject: Re: [Full-Disclosure] Cross-Site Scripting - an industry-wide problem
quite commom, funny