Real World XSS Author: David Zimmer
Article Downloads: small_xss_utilities.zip
Section 1 - Introduction
- About the Article Downloads
- Impacts (Attack Scenario)
- Impact Summary
Section 2 - Methods of Injection, and filtering
- Injection Points
- Injection methods and filtering
- XSS scripting tips and tricks
Section 3 - Inside the mind, mental walk along of a XSS hack
Section 4 - Conclusion
By now I hope you all understand that Cross sight scripting is not
as trivial a 'security' hole as it appears on the surface as all of the
simple demos people post as examples.
Identifying Cross Sight
Scripting is the easy part.
Foreseeing its possibilities and
knowing how to use it to impact a user base is the hard part, and is the
part that is not widely discussed.
With XSS so widely written
about and so misunderstood alot of people have walked away with the false
conclusion that it is an annoyance and not a threat.
of this paper is not to arm a hoard of script kiddies with a bunch of
proven tricks, but is to try to instill a sense as its actual dangers and
impacts with those who are in the position to do something about it.
As with all knowledge, it can be a double sided sword. As rfp's
paper on Sql injection techniques brought out the dangers of Sql injection
to the public I too hope that this paper may have a similar effect and
raising awareness and helping people to limit their own (and their surfer
You may not loose your server to XSS
attacks, it may not DOS your network, but you may loose your users, and
you may be the reason your clients lost their credit card numbers, fell
victim to identity theft or had their accounts tampered with.
this paper? Want to read more?
Check out the site for more Web Application
Security related papers and specialized Web App auditing tools.