Yeah, this rang false to me too. It’s also the reason you can’t take a client with 100 applications and run a tool that spams every discovered endpoint with XSS vectors; their customers scream bloody murder when every other page starts popping an alert box.
(This comes up a lot because people who don’t do large-scale testing tend to believe XSS is something you can safely test for everywhere). On October 11, 2016 at 2:28:12 PM, Eric Schultz ([email protected]) wrote: "You cannot deface websites with cross-site-scripting" You can with stored cross site scripting. You if the app is also vulnerable to cross site request forgery. You can if you steal a privileged session and you have network access. -Eric On Oct 10, 2016 11:24 AM, "Dave Aitel" <[email protected]> wrote: > 2 Book Reviews in this post. > > 1. Lab Girl > <https://www.amazon.com/Lab-Girl-Hope-Jahren-ebook/dp/B00Z3FYQS4/ref=tmm_kin_swatch_0?_encoding=UTF8&qid=1476112205&sr=8-1> > : > Probably the best book I've read all year. Immediately go and purchase and > read this. Speaks well to the hacker spirit, but is written like poetry. > > 2. http://cybersecpolitics.blogspot.com/2016/10/book- > review-cyber-war-vs-cyber-realities.html - Read my review please, but > don't buy the book. :) I masochistically read these books because if you > don't publicly review them, they filter into things people "know" about > cyber war strategy, and make for very painful policy meetings and Wassenaar > like things. People who write these sort of books need to write them > knowing someone is going to read them with a critical eye. > > -dave > > > _______________________________________________ > Dailydave mailing list > [email protected] > https://lists.immunityinc.com/mailman/listinfo/dailydave > > _______________________________________________ Dailydave mailing list [email protected] https://lists.immunityinc.com/mailman/listinfo/dailydave
_______________________________________________ Dailydave mailing list [email protected] https://lists.immunityinc.com/mailman/listinfo/dailydave
