On Wed, 13 Nov 2002, Steven M. Christey wrote:

> Being able to place arbitrary HTML into an intermediate web page is
> dangerous for other reasons (this is sometimes called "HTML
> injection," but I view it as another flavor of XSS). For example,
> this would allow attackers to use META-REFRESH style attacks to
> redirect victims away from the intended web site.

..or to redirect victims to a script on the intended web site that does
something (i e, sending mails or posting Usenet messages under the
victim's name). It's not just about stealing cookies.

// Ulf Harnhammar
VSU Security
ulfh (at) update.uu (dot) se [email concealed]

[ reply ]