zbeng Posted June 17, 2007 Report Share Posted June 17, 2007 Written by Gunter Ollmann Contents: * Abstract * Introduction * Code Insertion * Malicious Code * Cross-Site Scripting * Understanding Code Insertion o Inline Scripting o Forced Error Responses o Non <SCRIPT> Events o Javascript Entities o Typical Payloads Formatting * Bypassing Anti-CSS Filters * Web Integration o The Flash! Attack * The Impact * Vulnerability Checking * Put It All Together * Defending Against the Attack o Solutions for Users o Solutions for Developers and Organisations + Limit Server Responses + Enforce Response Lengths + HTTP Referer + Embedded Files and Objects + HTTP POST not GET + Cookie Inspection + URL Session Identifier * Character Sets * Dangerous Content * Encode output based upon input parameters o Filter input parameters for special characters o Filter output based upon input parameters for special characters * Referencesil gasiti aici :http://www.technicalinfo.net/papers/CSS.html Quote Link to comment Share on other sites More sharing options...
