It is sometimes hard to find forward-looking resources about cross-site scripting (XSS).
Michal Zalewski has documented some thoughts in Postcards from the Post-XSS World inspired by his own work and by others. He describes how many XSS attacks attempt to exfiltrate data such as session cookies, alter the appearance of the targeted web site or perform state changes on behalf of the user. But where the theft of cookies is prevented by the use of the HttpOnly attribute, other common attacks are the extraction of personal data, anti-cross-site request forgery (CSRF) and capability-bearing URLs, and the alteration/destruction of legitimate content, delegation of account access, use of special privileges and propagation of attacker-supplied HTML markup.
Michal describes methods identified by himself and others that could still be able to perform XSS-like attacks even if a web site has deployed XSS defences such as using Content Security Policy.
If you are undertaking code review, security verification or penetration testing activities, this blog post is a must-read.
Posted on: 09 March 2012 at 12:18 hrs