The most common way to abuse is through cookie hijacking,
If an attacker sends an email to a user's webmail account, that
is vulnerable to cross side scripting and the users
opens the message, the attacker would get the user's
session cookies and read the user's email.
There are several
Does anybody have an example(s) of how this kind of abuse is actually
working?
All the time I have just been lucky then I guess.
Arnold van Kampen
On Tue, 22 Jan 2002, Perrin Harkins wrote:
Yes and no. XSS attacks are possible on old browsers, when the charset is
not
set (something
Hi,
I thought it might be interesting to start a thread on cross-site
scripting attacks, since it seems that many people are not aware of
the risks involved. Has anyone noticed attacks on their applications?
Do you religiously check all input you get from form-submissions?
What techniques do
What techniques do you use to insure that your application is not
vulnerable?
Usually I write application so that they do some processing, package up a
chunk of data, and hand it to a template. With this structure, all you need
to do is HTML-escape the data structure before handing it off, or
On Tuesday 22 January 2002 18:48, Perrin Harkins wrote:
What techniques do you use to insure that your application is not
vulnerable?
Usually I write application so that they do some processing, package up a
chunk of data, and hand it to a template. With this structure, all you
need to
On Tue, Jan 22, 2002 at 09:25:15AM -0800, Paul Lindner wrote:
Hi,
I thought it might be interesting to start a thread on cross-site
scripting attacks, since it seems that many people are not aware of
the risks involved. Has anyone noticed attacks on their applications?
Do you religiously
On Tue, 22 Jan 2002 19:01:48 +0100
Thomas Eibner [EMAIL PROTECTED] wrote:
my $fields = {
id = ['\d+', \validation_sub ],
text = ['(?:\w\s)+']
};
And I feed this along with the request or cgi object to a function
that checks each key for first the
On Tue, 22 Jan 2002 09:25:15 -0800
Paul Lindner [EMAIL PROTECTED] wrote:
As part of the CPANification of the code in the mod_perl Developer's
cookbook, I present Apache::TaintRequest, a module that helps prevent
cross-site scripting attacks by automatically html-escaping 'tainted'
text sent
Yes and no. XSS attacks are possible on old browsers, when the charset is
not
set (something which is often the case with modperl apps) and when the
HTML-escaping bit does not match what certain browsers accept as markup.
Of course I set the charset, but I didn't know that might not be
On Tuesday 22 January 2002 19:04, Perrin Harkins wrote:
Of course I set the charset, but I didn't know that might not be enough.
Does anyone know if Apache::Util::escape_html() and
HTML::Entities::encode() are safe?
A quick look (I could be wrong) at HTML::Entities seems to imply that it
On Tue, Jan 22, 2002 at 07:11:28PM +0100, Robin Berjon wrote:
On Tuesday 22 January 2002 19:04, Perrin Harkins wrote:
Of course I set the charset, but I didn't know that might not be enough.
Does anyone know if Apache::Util::escape_html() and
HTML::Entities::encode() are safe?
A quick
11 matches
Mail list logo
