simple xss question
in [ASP .NET]
|
Prev: ASP.NET AutoPostBack don´t work in IE6
Next: In the .master code how to get the title defined in context <%@Page
From: coder316 on 16 Feb 2010 09:51 Hello, One thing I dont understand about XSS: 1.There is a page with a text box 2. I inject some Javascript into that textbox that shows a form in a new div that can send content somewhere. Am I not the only one that sees this form? What good is it if the next person that goes to the website just sees the page sent from the server correctly? Thanks
From: Lee Atkinson on 16 Feb 2010 10:17 Its usually more of a problem when they get access to your filesystem or database ... As i've found out the hard way On 16/02/2010 14:51, in article 49e2f337-0f2c-46f1-87d4-b58b1275ef40(a)f17g2000prh.googlegroups.com, "coder316" <coder316(a)gmail.com> wrote: > Hello, > One thing I dont understand about XSS: > 1.There is a page with a text box > 2. I inject some Javascript into that textbox that shows a form in a > new div that can send content somewhere. > > > Am I not the only one that sees this form? What good is it if the next > person that goes to the website just sees the page sent from the > server correctly? > > Thanks
From: Alexey Smirnov on 16 Feb 2010 14:30 On Feb 16, 3:51 pm, coder316 <coder...(a)gmail.com> wrote: > Hello, > One thing I dont understand about XSS: > 1.There is a page with a text box > 2. I inject some Javascript into that textbox that shows a form in a > new div that can send content somewhere. > > Am I not the only one that sees this form? What good is it if the next > person that goes to the website just sees the page sent from the > server correctly? > > Thanks If attacker will managed to get the victim to visit the injected URL, then he/she could get either user cookies or even redirect to another site...
From: AMP on 16 Feb 2010 16:59 On Feb 16, 2:30 pm, Alexey Smirnov <alexey.smir...(a)gmail.com> wrote: > On Feb 16, 3:51 pm, coder316 <coder...(a)gmail.com> wrote: > > > Hello, > > One thing I dont understand about XSS: > > 1.There is a page with a text box > > 2. I inject some Javascript into that textbox that shows a form in a > > new div that can send content somewhere. > > > Am I not the only one that sees this form? What good is it if the next > > person that goes to the website just sees the page sent from the > > server correctly? > > > Thanks > > If attacker will managed to get the victim to visit the injected URL, > then he/she could get either user cookies or even redirect to another > site... If you inject the js then you are the attacker and the victim, what good is it? What am I missing? Like I said, everyone else gets a new page from the server, not from me (The attacker). ????
From: Alexey Smirnov on 16 Feb 2010 18:18
On Feb 16, 10:59 pm, AMP <ampel...(a)gmail.com> wrote: > On Feb 16, 2:30 pm, Alexey Smirnov <alexey.smir...(a)gmail.com> wrote: > > > > > > > On Feb 16, 3:51 pm, coder316 <coder...(a)gmail.com> wrote: > > > > Hello, > > > One thing I dont understand about XSS: > > > 1.There is a page with a text box > > > 2. I inject some Javascript into that textbox that shows a form in a > > > new div that can send content somewhere. > > > > Am I not the only one that sees this form? What good is it if the next > > > person that goes to the website just sees the page sent from the > > > server correctly? > > > > Thanks > > > If attacker will managed to get the victim to visit the injected URL, > > then he/she could get either user cookies or even redirect to another > > site... > > If you inject the js then you are the attacker and the victim, what > good is it? What am I missing? > Like I said, everyone else gets a new page from the server, not from > me (The attacker). > ????- Hide quoted text - > > - Show quoted text - When form has XSS problem, an attacker can send injected link to you via email or post it somewhere on a public website. You click on it and the injected code will be executed. Modern browsers have filters to prevent XSS, but it still can be a problem, e.g. when XSS filter is disabled or you have old version, etc. |