So XSS is officially a big time problem, where it might have been viewed as a nuisance only 18 months ago. Now xss is the #1 attack vector of web applications...
Certainly some xss issues are innocuous, but the vector already has sophisticated means of bypassing filtering, just look at the length of this cheat sheet.
And researchers can get paid for disclosing vulnerabilities responsibly ...
or not so responsibly...
There are myriad ways of causing damage with this vector on it's own, or in combination with other attacks. And contrary to a large body of knowledge out there which says this is an encoding problem, after having written a filter to TRY to account for all the attacks for posted text or HTML, I feel pretty confident in saying HtmlEncoding is not enough and the Java & C# libraries {name your language / framework} need to be updated to account for the more arcane xss vectors which are highly exploitable ... we're going to see a lot more worms and a lot more compromises before this problem gets any better.
About Me
- kindageeky
- just a developer (and amateur sommelier / winemaker / domestic chef) continuously finding out about how much he doesn't know, who occasionally rants about stupid crap he's seen, and is always making mistakes that he learns from (occasionally) ... my software influences include Eberhart Rechtin, POSA, Erlang, Google, & Amazon ... my wine influences are regional italian, classic french, single vinyard zins, and rhone ... my cooking influences include provencial french, regional italian, and molecular gastronomy techniques