From: coder316 on
Hello,
One thing I dont understand about XSS:
1.There is a page with a text box
2. I inject some Javascript into that textbox that shows a form in a
new div that can send content somewhere.


Am I not the only one that sees this form? What good is it if the next
person that goes to the website just sees the page sent from the
server correctly?

Thanks
From: Lee Atkinson on
Its usually more of a problem when they get access to your filesystem or
database ... As i've found out the hard way


On 16/02/2010 14:51, in article
49e2f337-0f2c-46f1-87d4-b58b1275ef40(a)f17g2000prh.googlegroups.com,
"coder316" <coder316(a)gmail.com> wrote:

> Hello,
> One thing I dont understand about XSS:
> 1.There is a page with a text box
> 2. I inject some Javascript into that textbox that shows a form in a
> new div that can send content somewhere.
>
>
> Am I not the only one that sees this form? What good is it if the next
> person that goes to the website just sees the page sent from the
> server correctly?
>
> Thanks

From: Alexey Smirnov on
On Feb 16, 3:51 pm, coder316 <coder...(a)gmail.com> wrote:
> Hello,
> One thing I dont understand about XSS:
> 1.There is a page with a text box
> 2. I inject some Javascript into that textbox that shows a form in a
> new div that can send content somewhere.
>
> Am I not the only one that sees this form? What good is it if the next
> person that goes to the website just sees the page sent from the
> server correctly?
>
> Thanks

If attacker will managed to get the victim to visit the injected URL,
then he/she could get either user cookies or even redirect to another
site...
From: AMP on
On Feb 16, 2:30 pm, Alexey Smirnov <alexey.smir...(a)gmail.com> wrote:
> On Feb 16, 3:51 pm, coder316 <coder...(a)gmail.com> wrote:
>
> > Hello,
> > One thing I dont understand about XSS:
> > 1.There is a page with a text box
> > 2. I inject some Javascript into that textbox that shows a form in a
> > new div that can send content somewhere.
>
> > Am I not the only one that sees this form? What good is it if the next
> > person that goes to the website just sees the page sent from the
> > server correctly?
>
> > Thanks
>
> If attacker will managed to get the victim to visit the injected URL,
> then he/she could get either user cookies or even redirect to another
> site...

If you inject the js then you are the attacker and the victim, what
good is it? What am I missing?
Like I said, everyone else gets a new page from the server, not from
me (The attacker).
????
From: Alexey Smirnov on
On Feb 16, 10:59 pm, AMP <ampel...(a)gmail.com> wrote:
> On Feb 16, 2:30 pm, Alexey Smirnov <alexey.smir...(a)gmail.com> wrote:
>
>
>
>
>
> > On Feb 16, 3:51 pm, coder316 <coder...(a)gmail.com> wrote:
>
> > > Hello,
> > > One thing I dont understand about XSS:
> > > 1.There is a page with a text box
> > > 2. I inject some Javascript into that textbox that shows a form in a
> > > new div that can send content somewhere.
>
> > > Am I not the only one that sees this form? What good is it if the next
> > > person that goes to the website just sees the page sent from the
> > > server correctly?
>
> > > Thanks
>
> > If attacker will managed to get the victim to visit the injected URL,
> > then he/she could get either user cookies or even redirect to another
> > site...
>
> If you inject the js then you are the attacker and the victim, what
> good is it? What am I missing?
> Like I said, everyone else gets a new page from the server, not from
> me (The attacker).
> ????- Hide quoted text -
>
> - Show quoted text -

When form has XSS problem, an attacker can send injected link to you
via email or post it somewhere on a public website. You click on it
and the injected code will be executed. Modern browsers have filters
to prevent XSS, but it still can be a problem, e.g. when XSS filter is
disabled or you have old version, etc.