You probably want to check out these links as well.
The Cross Site Scripting FAQ
http://www.cgisecurity.com/articles/xss-faq.shtml
The Web Application Security Consortium's (WASC) Threat Classification
http://www.webappsec.org/projects/threat/classes/cross-site_scripting.sh
tml
- admin (at) cgisecurity (dot) com [email concealed]
http://www.cgisecurity.com
>
> It was called XSS before 2002. The wikipedia article that someone already
> mentioned links to:
>
> http://www.cert.org/advisories/CA-2000-02.html
> http://webmonkey.wired.com/webmonkey/00/18/index3a.html
> http://httpd.apache.org/info/css-security/
>
> All of which are from 2000.
>
> I remember the vulnerability now known as "stored xss" being an issue as far
> back as 1996-ish on web based forums, but I don't think it had any name at
> that time.
>
>
> Jeff Robertson
> Manager of Web Application Security
> Digital Insight
>
>
> > -----Original Message-----
> > From: Richard M. Smith [mailto:rms (at) computerbytesman (dot) com [email concealed]]
> > Sent: Friday, October 14, 2005 11:14
> > To: webappsec (at) securityfocus (dot) com [email concealed]
> > Subject: RE: myspace hack
> >
> >
> > I believe that Microsoft first came up with the cross-site
> > scripting name.
> > They wrote a paper on the subject around 2002.
> >
> > "Script injection" does sound like a more descriptive and
> > accurate name.
> >
> > Richard
> >
> > -----Original Message-----
> > From: Jeff Robertson [mailto:Jeff.Robertson (at) DigitalInsight (dot) com [email concealed]]
> > Sent: Friday, October 14, 2005 10:55 AM
> > To: 'Reynolds, Jake'; Chris Varenhorst; Akash
> > Cc: webappsec (at) securityfocus (dot) com [email concealed]
> > Subject: RE: myspace hack
> >
> > The name "XSS" does not make sense in a lot of its applications.
> >
> > What "Stored XSS" and "Reflected XSS" have in common is the
> > injection of
> > script into places where script wasn't supposed to be. Having
> > more than one
> > site be involved is not the factor. What has been discussed
> > in this thread
> > seems to me like it falls under "Stored XSS".
> >
> > It would make more sense if this was called "script
> > injection", but for some
> > reason the whole family was named XSS.
> >
> > Who the heck names these things, anyway?
> >
> >
> > Jeff Robertson
> > Manager of Web Application Security
> > Digital Insight
> >
> >
> > > -----Original Message-----
> > > From: Reynolds, Jake [mailto:Jake.Reynolds (at) fishnetsecurity (dot) com [email concealed]]
> > > Sent: Friday, October 14, 2005 10:30
> > > To: Chris Varenhorst; Akash
> > > Cc: webappsec (at) securityfocus (dot) com [email concealed]
> > > Subject: RE: myspace hack
> > >
> > >
> > > I wouldn't consider this an XSS attack. Where in the attack did
> > > information cross sites? This seems like it is an embedded
> > XSS attack
> > > in that a malicious script was entered into a profile in hopes that
> > > victims would view and execute it. However, nothing was sent across
> > > sites via the script. The vulnerability was a lack of output
> > > validation in my opinion, which is the same vulnerability
> > that an XSS
> > > attack would exploit. I don't know how you would classify the
> > > attack... Probably "self-replicating session riding". Yeah
> > that has a
> > > nice FUD-factor to it.
> > >
> > >
> > > Jake Reynolds, CCIE, CCSP, MCSE, CCSA, JNCIA-FWV, CWNA
> > Senior Security
> > > Engineer -- Consulting Services FishNet Security
> > >
> > > Phone: 816.421.6611
> > > Toll Free: 888.732.9406
> > > Fax: 816.421.6677
> > >
> > > http://www.fishnetsecurity.com
> > >
> > > -----Original Message-----
> > > From: Chris Varenhorst [mailto:varenc (at) MIT (dot) EDU [email concealed]]
> > > Sent: Thursday, October 13, 2005 8:39 AM
> > > To: Akash
> > > Cc: webappsec (at) securityfocus (dot) com [email concealed]
> > > Subject: Re: myspace hack
> > >
> > > Oh wow I'm wrong, I'm apparently thinking of current myspace bots
> > > which do as I described. It looks this was in fact made
> > possible by
> > > an XSS vulnerability.
> > > Sorry
> > >
> > > On Thu, 13 Oct 2005, Chris Varenhorst wrote:
> > >
> > > > This isn't hacking at all. (at least not what I'd call
> > it) This is
> > > > writing a script to go through myspace IDs (which
> > > happen to be
> > > > squential) issuing friend requests to every one of them.
> > To prevent
> > > > this, now myspace limits friend requests to a certain
> > > number per day.
> > > > Hope that covers it!
> > > >
> > > > -Chris
> > > >
> > > > On Thu, 13 Oct 2005, Akash wrote:
> > > >
> > > > > Does anyone has more technical details about how 1
> > > million accounts
> > > > got hacked in about 24 hours.
> > > >
> > > > This is the supposed confession of the hacker
> > > > http://fast.info/myspace/
> > > >
> > > > I currently studying for CEH and just finished reading
> > about XSS. So
> > > > this is of special interest.
> > > >
> > > > regards
> > > >
> > > > akash
> > > >
> > >
> >
>
The Cross Site Scripting FAQ
http://www.cgisecurity.com/articles/xss-faq.shtml
The Web Application Security Consortium's (WASC) Threat Classification
http://www.webappsec.org/projects/threat/classes/cross-site_scripting.sh
tml
- admin (at) cgisecurity (dot) com [email concealed]
http://www.cgisecurity.com
>
> It was called XSS before 2002. The wikipedia article that someone already
> mentioned links to:
>
> http://www.cert.org/advisories/CA-2000-02.html
> http://webmonkey.wired.com/webmonkey/00/18/index3a.html
> http://httpd.apache.org/info/css-security/
>
> All of which are from 2000.
>
> I remember the vulnerability now known as "stored xss" being an issue as far
> back as 1996-ish on web based forums, but I don't think it had any name at
> that time.
>
>
> Jeff Robertson
> Manager of Web Application Security
> Digital Insight
>
>
> > -----Original Message-----
> > From: Richard M. Smith [mailto:rms (at) computerbytesman (dot) com [email concealed]]
> > Sent: Friday, October 14, 2005 11:14
> > To: webappsec (at) securityfocus (dot) com [email concealed]
> > Subject: RE: myspace hack
> >
> >
> > I believe that Microsoft first came up with the cross-site
> > scripting name.
> > They wrote a paper on the subject around 2002.
> >
> > "Script injection" does sound like a more descriptive and
> > accurate name.
> >
> > Richard
> >
> > -----Original Message-----
> > From: Jeff Robertson [mailto:Jeff.Robertson (at) DigitalInsight (dot) com [email concealed]]
> > Sent: Friday, October 14, 2005 10:55 AM
> > To: 'Reynolds, Jake'; Chris Varenhorst; Akash
> > Cc: webappsec (at) securityfocus (dot) com [email concealed]
> > Subject: RE: myspace hack
> >
> > The name "XSS" does not make sense in a lot of its applications.
> >
> > What "Stored XSS" and "Reflected XSS" have in common is the
> > injection of
> > script into places where script wasn't supposed to be. Having
> > more than one
> > site be involved is not the factor. What has been discussed
> > in this thread
> > seems to me like it falls under "Stored XSS".
> >
> > It would make more sense if this was called "script
> > injection", but for some
> > reason the whole family was named XSS.
> >
> > Who the heck names these things, anyway?
> >
> >
> > Jeff Robertson
> > Manager of Web Application Security
> > Digital Insight
> >
> >
> > > -----Original Message-----
> > > From: Reynolds, Jake [mailto:Jake.Reynolds (at) fishnetsecurity (dot) com [email concealed]]
> > > Sent: Friday, October 14, 2005 10:30
> > > To: Chris Varenhorst; Akash
> > > Cc: webappsec (at) securityfocus (dot) com [email concealed]
> > > Subject: RE: myspace hack
> > >
> > >
> > > I wouldn't consider this an XSS attack. Where in the attack did
> > > information cross sites? This seems like it is an embedded
> > XSS attack
> > > in that a malicious script was entered into a profile in hopes that
> > > victims would view and execute it. However, nothing was sent across
> > > sites via the script. The vulnerability was a lack of output
> > > validation in my opinion, which is the same vulnerability
> > that an XSS
> > > attack would exploit. I don't know how you would classify the
> > > attack... Probably "self-replicating session riding". Yeah
> > that has a
> > > nice FUD-factor to it.
> > >
> > >
> > > Jake Reynolds, CCIE, CCSP, MCSE, CCSA, JNCIA-FWV, CWNA
> > Senior Security
> > > Engineer -- Consulting Services FishNet Security
> > >
> > > Phone: 816.421.6611
> > > Toll Free: 888.732.9406
> > > Fax: 816.421.6677
> > >
> > > http://www.fishnetsecurity.com
> > >
> > > -----Original Message-----
> > > From: Chris Varenhorst [mailto:varenc (at) MIT (dot) EDU [email concealed]]
> > > Sent: Thursday, October 13, 2005 8:39 AM
> > > To: Akash
> > > Cc: webappsec (at) securityfocus (dot) com [email concealed]
> > > Subject: Re: myspace hack
> > >
> > > Oh wow I'm wrong, I'm apparently thinking of current myspace bots
> > > which do as I described. It looks this was in fact made
> > possible by
> > > an XSS vulnerability.
> > > Sorry
> > >
> > > On Thu, 13 Oct 2005, Chris Varenhorst wrote:
> > >
> > > > This isn't hacking at all. (at least not what I'd call
> > it) This is
> > > > writing a script to go through myspace IDs (which
> > > happen to be
> > > > squential) issuing friend requests to every one of them.
> > To prevent
> > > > this, now myspace limits friend requests to a certain
> > > number per day.
> > > > Hope that covers it!
> > > >
> > > > -Chris
> > > >
> > > > On Thu, 13 Oct 2005, Akash wrote:
> > > >
> > > > > Does anyone has more technical details about how 1
> > > million accounts
> > > > got hacked in about 24 hours.
> > > >
> > > > This is the supposed confession of the hacker
> > > > http://fast.info/myspace/
> > > >
> > > > I currently studying for CEH and just finished reading
> > about XSS. So
> > > > this is of special interest.
> > > >
> > > > regards
> > > >
> > > > akash
> > > >
> > >
> >
>
[ reply ]