09 March 2012

XSS Plus

It is sometimes hard to find forward-looking resources about cross-site scripting (XSS).

Part of the text from Michal Zalewski's 'Postcards from the Post-XSS World'

Michal Zalewski has documented some thoughts in Postcards from the Post-XSS World inspired by his own work and by others. He describes how many XSS attacks attempt to exfiltrate data such as session cookies, alter the appearance of the targeted web site or perform state changes on behalf of the user. But where the theft of cookies is prevented by the use of the HttpOnly attribute, other common attacks are the extraction of personal data, anti-cross-site request forgery (CSRF) and capability-bearing URLs, and the alteration/destruction of legitimate content, delegation of account access, use of special privileges and propagation of attacker-supplied HTML markup.

Michal describes methods identified by himself and others that could still be able to perform XSS-like attacks even if a web site has deployed XSS defences such as using Content Security Policy.

If you are undertaking code review, security verification or penetration testing activities, this blog post is a must-read.

Posted on: 09 March 2012 at 12:18 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter


Comments are filtered automatically and should appear shortly after they been checked.

Post a comment
Confirm acceptance and understanding of the terms of use
New posts to this thread will be sent to your email address
XSS Plus
ISO/IEC 18004:2006 QR code for https://clerkendweller.uk

Page https://www.clerkendweller.uk/2012/3/9/XSS-Plus
Requested by on Sunday, 29 November 2015 at 19:23 hrs (London date/time)

Please read our terms of use and obtain professional advice before undertaking any actions based on the opinions, suggestions and generic guidance presented here. Your organisation's situation will be unique and all practices and controls need to be assessed with consideration of your own business context.

Terms of use https://www.clerkendweller.uk/page/terms
Privacy statement https://www.clerkendweller.uk/page/privacy
© 2012-2015 clerkendweller.uk