Comments on: The Cross Site Scripting FAQ http://blog.sonufifu.com/seo/the-cross-site-scripting-faq/ sonufifu Wed, 10 Mar 2010 22:16:18 +0000 http://wordpress.org/?v=2.7.1 hourly 1 By: Search Engine Optimization (SEO) Journal » Blog Archive » Proof of Concept http://blog.sonufifu.com/seo/the-cross-site-scripting-faq/comment-page-1/#comment-5 Search Engine Optimization (SEO) Journal » Blog Archive » Proof of Concept Fri, 07 Jul 2006 19:16:55 +0000 http://blog.sonufifu.com/?p=30#comment-5 [...] I’ve actually noticed the same thing myself. One of the hardest parts of XSS is locating what is and isn’t valid XSS. Some things can include HTML injection but there is no way to reasonably exploit the vulnerability. Does that make it less scary? Yes! The reason XSS is scary is because it can lead to information disclosure, but if there is no way to get another user to see the HTML you injected, then it’s not a real vulnerability. Sloppy coding? Yes. Vulnerability? No. [...] [...] I’ve actually noticed the same thing myself. One of the hardest parts of XSS is locating what is and isn’t valid XSS. Some things can include HTML injection but there is no way to reasonably exploit the vulnerability. Does that make it less scary? Yes! The reason XSS is scary is because it can lead to information disclosure, but if there is no way to get another user to see the HTML you injected, then it’s not a real vulnerability. Sloppy coding? Yes. Vulnerability? No. [...]

]]> By: ha.ckers.org web application security lab - Archive » Proof of Concept http://blog.sonufifu.com/seo/the-cross-site-scripting-faq/comment-page-1/#comment-4 ha.ckers.org web application security lab - Archive » Proof of Concept Tue, 04 Jul 2006 18:17:30 +0000 http://blog.sonufifu.com/?p=30#comment-4 [...] I’ve actually noticed the same thing myself. One of the hardest parts of XSS is locating what is and isn’t valid XSS. Some things can include HTML injection but there is no way to reasonably exploit the vulnerability. Does that make it less scary? Yes! The reason XSS is scary is because it can lead to information disclosure, but if there is no way to get another user to see the HTML you injected, then it’s not a real vulnerability. Sloppy coding? Yes. Vulnerability? No. [...] [...] I’ve actually noticed the same thing myself. One of the hardest parts of XSS is locating what is and isn’t valid XSS. Some things can include HTML injection but there is no way to reasonably exploit the vulnerability. Does that make it less scary? Yes! The reason XSS is scary is because it can lead to information disclosure, but if there is no way to get another user to see the HTML you injected, then it’s not a real vulnerability. Sloppy coding? Yes. Vulnerability? No. [...]

]]>