Comments on: “Cross” just like in XSS http://www.disenchant.ch/blog/%e2%80%9ccross%e2%80%9d-just-like-in-xss/40 Blog of Sven Vetsch / Disenchant Tue, 02 Mar 2010 12:16:03 +0000 hourly 1 http://wordpress.org/?v=3.0.1 By: nEUrOO http://www.disenchant.ch/blog/%e2%80%9ccross%e2%80%9d-just-like-in-xss/40/comment-page-1#comment-2577 nEUrOO Mon, 12 Feb 2007 15:32:03 +0000 http://www.disenchant.ch/blog/%e2%80%9ccross%e2%80%9d-just-like-in-xss/40#comment-2577 You're absolutely right for the permanent xss, i didn't even think about it :X You’re absolutely right for the permanent xss, i didn’t even think about it :X

]]> By: Disenchant http://www.disenchant.ch/blog/%e2%80%9ccross%e2%80%9d-just-like-in-xss/40/comment-page-1#comment-2575 Disenchant Mon, 12 Feb 2007 14:54:44 +0000 http://www.disenchant.ch/blog/%e2%80%9ccross%e2%80%9d-just-like-in-xss/40#comment-2575 I don't agree with "you cannot totally deface a website with XSS" because with Javascript, we can access the DOM tree and so we can modify all the elements on a website or to make it extremely simple, we can just use innerHTML for rewriting the whole site content and of course you can also do permanent XSSing and at least then really nasty things can going on, for example if you modify the text of a political site during general elections or stuff like this ;) But of course I fully agree with you that most of the time as I already wrote in my last comment, you'll need a second site for doing serious attacks but from my point of view it's nonsense if we call one attack different every time after the way it's exploited. I don’t agree with “you cannot totally deface a website with XSS” because with Javascript, we can access the DOM tree and so we can modify all the elements on a website or to make it extremely simple, we can just use innerHTML for rewriting the whole site content and of course you can also do permanent XSSing and at least then really nasty things can going on, for example if you modify the text of a political site during general elections or stuff like this ;)
But of course I fully agree with you that most of the time as I already wrote in my last comment, you’ll need a second site for doing serious attacks but from my point of view it’s nonsense if we call one attack different every time after the way it’s exploited.

]]> By: nEUrOO http://www.disenchant.ch/blog/%e2%80%9ccross%e2%80%9d-just-like-in-xss/40/comment-page-1#comment-2574 nEUrOO Mon, 12 Feb 2007 14:39:50 +0000 http://www.disenchant.ch/blog/%e2%80%9ccross%e2%80%9d-just-like-in-xss/40#comment-2574 Hum, you're right for the defacement with XSS, but I really used not to consider this as a "real-important-whatever" attack; I mean... Well, at least as far as I know, you cannot totally deface a website with XSS (i mean only XSS, not db storage etc. beside) but only modifying your local view of the page which may be able to see with a link (phishing). That's why I consider that the important attacks at least need an other site to store scripts (worm), to send data (stealing information) etc. Maybe I missed something for the defacement thus I am waiting for your answer ;) Hum, you’re right for the defacement with XSS, but I really used not to consider this as a “real-important-whatever” attack; I mean… Well, at least as far as I know, you cannot totally deface a website with XSS (i mean only XSS, not db storage etc. beside) but only modifying your local view of the page which may be able to see with a link (phishing).
That’s why I consider that the important attacks at least need an other site to store scripts (worm), to send data (stealing information) etc.

Maybe I missed something for the defacement thus I am waiting for your answer ;)

]]> By: Disenchant http://www.disenchant.ch/blog/%e2%80%9ccross%e2%80%9d-just-like-in-xss/40/comment-page-1#comment-2571 Disenchant Mon, 12 Feb 2007 14:17:09 +0000 http://www.disenchant.ch/blog/%e2%80%9ccross%e2%80%9d-just-like-in-xss/40#comment-2571 Hi nEUrOO, why do you think that? For example a temporary XSS which you can exploit over a normal URL GET request, doesn't need another site for example to get cookies or something else. I think your point is, that after an attack like this you have to send the victim to another site or at least some of his data to have a complete attack and here you're right but then we still have attack scenarios like site defacements through XSS and here you don't have any other site which is involved. So I think normally an attacker will need at least one other site for doing a real attack most of the time but still "cross site scripting" is from my point of view not the term which matches exactly to what a XSS attack does but I'm interested in your point of view :) Hi nEUrOO,
why do you think that? For example a temporary XSS which you can exploit over a normal URL GET request, doesn’t need another site for example to get cookies or something else. I think your point is, that after an attack like this you have to send the victim to another site or at least some of his data to have a complete attack and here you’re right but then we still have attack scenarios like site defacements through XSS and here you don’t have any other site which is involved. So I think normally an attacker will need at least one other site for doing a real attack most of the time but still “cross site scripting” is from my point of view not the term which matches exactly to what a XSS attack does but I’m interested in your point of view :)

]]> By: nEUrOO http://www.disenchant.ch/blog/%e2%80%9ccross%e2%80%9d-just-like-in-xss/40/comment-page-1#comment-2569 nEUrOO Mon, 12 Feb 2007 13:18:47 +0000 http://www.disenchant.ch/blog/%e2%80%9ccross%e2%80%9d-just-like-in-xss/40#comment-2569 Btw, I think that if you think about the attack and not the vulnerabilities, you have to have the "cross site" :) Btw, I think that if you think about the attack and not the vulnerabilities, you have to have the “cross site” :)

]]> By: Disenchant http://www.disenchant.ch/blog/%e2%80%9ccross%e2%80%9d-just-like-in-xss/40/comment-page-1#comment-2528 Disenchant Sun, 11 Feb 2007 15:19:01 +0000 http://www.disenchant.ch/blog/%e2%80%9ccross%e2%80%9d-just-like-in-xss/40#comment-2528 I didn't see that before but it's funny that other people asked the question about the name too, thanks for it :) PS: And of course Marc Slemko is right when he says "Believe me, we have had more important things to do than think of a better name." I didn’t see that before but it’s funny that other people asked the question about the name too, thanks for it :)

PS: And of course Marc Slemko is right when he says “Believe me, we have had more important things to do than think of a better name.”

]]> By: Ory http://www.disenchant.ch/blog/%e2%80%9ccross%e2%80%9d-just-like-in-xss/40/comment-page-1#comment-2527 Ory Sun, 11 Feb 2007 15:10:28 +0000 http://www.disenchant.ch/blog/%e2%80%9ccross%e2%80%9d-just-like-in-xss/40#comment-2527 Hey, The XSS naming issue was raised several times before :-) Take a look at the Wikipedia XSS page: http://en.wikipedia.org/wiki/Cross_site_scripting "This issue isn't just about scripting, and there isn't necessarily anything cross-site about it. So why the name? It was coined earlier on when the problem was less understood, and it stuck. Believe me, we have had more important things to do than think of a better name." (XSS pioneer Marc Slemko) Hey,

The XSS naming issue was raised several times before :-) Take a look at the Wikipedia XSS page:
http://en.wikipedia.org/wiki/Cross_site_scripting

“This issue isn’t just about scripting, and there isn’t necessarily anything cross-site about it. So why the name? It was coined earlier on when the problem was less understood, and it stuck. Believe me, we have had more important things to do than think of a better name.” (XSS pioneer Marc Slemko)

]]>