[ OWASP - Montreal ] Confusion about XSS...
sean at caedmon.net
Wed Dec 17 14:13:44 EST 2008
> Am I wrong, or to be declared as XSS vuln. the script must be
> injected from an external source, not the site itself?
> What if ebay allow html script tags in the auction text, is it an
> XSS? If not how do you call this? The site is the source...
> This script would send the authenticated user cookie to the
> attacker, allowing session hijacking.
I would consider that a form of cross site scripting, even if it's not
technically "cross site." eBay definitely should be filtering that
out... think "Samy is my hero."
This is where HtmlPurifier serves well (-:
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-montreal