On 11/10/2016 20:30, Thomas Ptacek wrote:
> (This comes up a lot because people who don’t do large-scale testing tend
> to believe XSS is something you can safely test for everywhere).
Even small scale (but high event) focussed testing can have unexpected
results, case in point as happened some
Yeah, this rang false to me too. It’s also the reason you can’t take a
client with 100 applications and run a tool that spams every discovered
endpoint with XSS vectors; their customers scream bloody murder when every
other page starts popping an alert box.
(This comes up a lot because people who
Yes, in theory. There are scenarios where you can do all those things. None
of those are what the authors meant, to put it kindly.
-dave
On Tue, Oct 11, 2016 at 11:45 AM Eric Schultz wrote:
> "You cannot deface websites with cross-site-scripting"
>
> You can with stored
"You cannot deface websites with cross-site-scripting"
You can with stored cross site scripting.
You if the app is also vulnerable to cross site request forgery.
You can if you steal a privileged session and you have network access.
-Eric
On Oct 10, 2016 11:24 AM, "Dave Aitel"