Tagged Questions

Cross-Site Scripting: An attack method that involves injection of code or markup into a webpage.

learn more… | top users | synonyms

7
votes
3answers
124 views

E-mail read receipt through XSS

I recently stumbled upon a really silly/unsafe but an interesting way to get a read receipt of an e-mail. I'm not 100% sure if the method in use works, which is why I'm asking it here. G-mail does ...
0
votes
5answers
171 views

Efficient way for finding XSS vulnerabilities?

Manual (reliable) way: Put string containing characters that have special meaning in HTML into some parameter of HTTP request, look for this string in HTTP response (and possibly) in other places ...
3
votes
2answers
130 views

How can I prevent reflected XSS in my JSON web services?

I have a web service that takes POST data (JSON) and returns part of the request object in the JSON response. This is open to XSS if the response is rendered as HTML by the browser since someone ...
3
votes
5answers
166 views

XSS : Blacklist characters vs. whitelist

I have been studying to prevent my web app against XSS. I read about it on OWASP and other security channels, they all say that use ESAPI and similar library, and also do input filtering through ...
3
votes
2answers
107 views

Is Drupal's filter_xss enough for filtering HTML?

Drupal has filter_xss function. Is it safe to use for filtering arbitrary user HTML input? If not, what should be used instead when using Drupal 7? This questuion is a duplicate of Drupal's built-in ...
4
votes
1answer
93 views

XSS inside CSS when " is encoded?

I'm trying to make XSS work on one site.It allows me to edit CSS which is then included inside web page source , but it won't allow me to use " , only ' . Source is like this: body { margin: 0; ...
5
votes
1answer
87 views

Where does the responsibility lie for a XSS vulnerability

I am an avid user of Workflowy (online outliner/note taking tool) and I installed the Chrome extension 'Workflowy for Coders', which formats the text within notes. I discovered that one of my notes ...
2
votes
4answers
179 views

Current best practices to prevent persistent XSS attacks

I have a text field that allows the user to type whatever he/she wants. After saving, the results are later displayed on the screen to potentially many people. XSS seems a bit like black magic to ...
2
votes
4answers
148 views

What is the danger of Reflected Cross Site Scripting?

What is the danger of Reflected Cross Site Scripting? I understand the Reflected XSS is dangerous, because it's possible. But what practical attacks can be performed using Reflected XSS?
1
vote
1answer
128 views

scanning my site for JavaScript/XSS vulnerabilities

It have had a report that my site may have a security issue and there is some JavaScript loading 10 times per second. www.ayrshireminis.com Is there anyway that I can "scan" my site to check if ...
1
vote
2answers
94 views

Why ban XSS instead of flagging it?

Consider a browser that allows an XMLHttpRequest downloaded from foo.net to make requests to bar.net, but attaches a XHR-Origin: http://foo.net (or possibly a more descriptive value like ...
1
vote
1answer
92 views

Web Application Firewall Rule Optimization

Following are the two Rules taken from ModSecurity CRS core Ruleset. These two rules are base Rules for XSS attacks. If we look at these two rules their variables and actions are same what they differ ...
2
votes
2answers
129 views

What is cross-site-scripting? [closed]

Possible Duplicate: Can anybody explain XSS to an idiot? First I ask is there an aboslute definition? I've done some Googleing and it seems like everyone says something different. On SO ...
3
votes
1answer
90 views

Can anybody recommend any gems for checking security vulnerabilities?

I want to check one of my RoR projects for security vulnerabilities. So can anybody recommend any gems for my needs?
0
votes
2answers
178 views

HTTP TRACE vulnerability discovered - what should I do

First, why is HTTP TRACE method allowed on a website Isn't it a bad thing for web server or its users' security? Second, when I run the following PHP script via my browser... <?php $service_port ...

1 2 3 4 5 6
15 30 50 per page