[ OWASP - Montreal ] Confusion about XSS...

Benoit Guerette benoit.guerette at gmail.com
Wed Dec 17 14:02:01 EST 2008

Am I wrong, or to be declared as XSS vuln. the script must be injected from
an external source, not the site itself?

What if ebay allow html script tags in the auction text, is it an XSS? If
not how do you call this? The site is the source...

"Watch for sale. <script type="text/javascript">document.location="

This script would send the authenticated user cookie to the attacker,
allowing session hijacking.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-montreal/attachments/20081217/c92ed2ec/attachment.html 

More information about the Owasp-montreal mailing list