Thread: Xss Faq

A good FAQ about Cross Site Scripting...

http://www.cgisecurity.com/articles/xss-faq.shtml

What else is there to say?

hehe
interesting..thanks

What else is there to say? [/B][/QUOTE]

This.Good post!

And this

Risk: High
-------------------------http://www.finjan.com/mcrc/alert_show.cfm?attack_release_id=72

OVERVIEW
A new vulnerability in an MSN Chat ActiveX Control allows hackers to automatically execute arbitrary code by visiting a Web page or receiving HTML-enabled e-mail. Since the MSN Chat control utilizes the user's security configuration, the program would be able to take any action that the legitimate user is capable of taking. eEye Digital Security discovered this exploit, and it is published as follows: http://www.eeye.com/html/Research/Ad...D20020508.html .MSN Chat ActiveX Control allows users of MSN Chat, Messenger and Exchange Instant Messenger to group together in a single "space" to chat in real time. Microsoft has released a critical security patch.
Local ActiveX Controls are already installed on the user's machine by one of these applications, therefore, attempting to to block all ActiveX Controls via the firewall isn't effective. This exploit doesn't require a low security setting for the browser. The default browser setting (Medium) is enough to ensure the success of such an attack. All Internet Explorer users are potentially affected because this is a Microsoft-signed OCX. Users that have not installed Microsoft Messenger can be affected if they choose to launch the ActiveX that is signed by Microsoft. ActiveX Controls are powerful. You can try the following signed ActiveX demo: http://www.finjan.com/mcrc/demos/activex.cfm
.The combination of a low security setting for the browser and a computer with no MSN Chat Control leads to an automatic attack. Finjan Software predicts that this exploit will be used in the wild. Microsoft UA control has been used in the past to lower the MSOffice security setting.
A very similar exploit was discovered a week ago in a Macromedia Flash ActiveX control by the same company. eEye Digital Security advisory can be found at: http://www.eeye.com/html/Research/Ad...D20020502.html
Finjan Software strongly advises you to take proper precautions to protect yourself from this type of attack. All Internet Explorer users should install the update. Finjan Software products block this exploit, as any other violation performed by ActiveX Control.

Firewall software or hardware at a network gateway protects private networks from network-based attacks by allowing or blocking network transactions but firewalls do not perform content inspection or behavior monitoring of code. Firewalls are a good line of defense for networks, but malicious code attacks on PCs can bypass firewalls very easily via the Web or e-mail.

http://www.finjan.com/products/surfinguard.cfm to download the freeware

JRoc> just so you know, its XSS, not CSS. CSS is Cascading Style Sheets. Since they both deal with websites, Cross Site Scripting was givin the name XSS.

kadeng> good find...