Re: [Dailydave] Book Reviews

On 11/10/2016 20:30, Thomas Ptacek wrote: > (This comes up a lot because people who don’t do large-scale testing tend > to believe XSS is something you can safely test for everywhere). Even small scale (but high event) focussed testing can have unexpected results, case in point as happened some

Re: [Dailydave] Book Reviews

Yeah, this rang false to me too. It’s also the reason you can’t take a client with 100 applications and run a tool that spams every discovered endpoint with XSS vectors; their customers scream bloody murder when every other page starts popping an alert box. (This comes up a lot because people who

Re: [Dailydave] Book Reviews

Yes, in theory. There are scenarios where you can do all those things. None of those are what the authors meant, to put it kindly. -dave On Tue, Oct 11, 2016 at 11:45 AM Eric Schultz wrote: > "You cannot deface websites with cross-site-scripting" > > You can with stored

Re: [Dailydave] Book Reviews

"You cannot deface websites with cross-site-scripting" You can with stored cross site scripting. You if the app is also vulnerable to cross site request forgery. You can if you steal a privileged session and you have network access. -Eric On Oct 10, 2016 11:24 AM, "Dave Aitel"