[27869] in bugtraq
RE: A technique to mitigate cookie-stealing XSS attacks
daemon@ATHENA.MIT.EDU (Ulf Harnhammar)
Fri Nov 15 12:09:20 2002
Date: Thu, 14 Nov 2002 07:20:29 +0100 (CET)
From: Ulf Harnhammar <ulfh@update.uu.se>
To: "Steven M. Christey" <coley@linus.mitre.org>
In-Reply-To: <200211132310.SAA16807@linus.mitre.org>
Message-ID: <Pine.LNX.4.21.0211140716310.5627-100000@Tempo.Update.UU.SE>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
On Wed, 13 Nov 2002, Steven M. Christey wrote:
> Being able to place arbitrary HTML into an intermediate web page is
> dangerous for other reasons (this is sometimes called "HTML
> injection," but I view it as another flavor of XSS). For example,
> this would allow attackers to use META-REFRESH style attacks to
> redirect victims away from the intended web site.
..or to redirect victims to a script on the intended web site that does
something (i e, sending mails or posting Usenet messages under the
victim's name). It's not just about stealing cookies.
// Ulf Harnhammar
VSU Security
ulfh@update.uu.se
