Example Sins

Previous page
Table of content
Next page

The following entries on the Common Vulnerabilities and Exposures (CVE) web site (http://cve.mitre.org) and elsewhere are examples of XSS vulnerabilities.

IBM Lotus Domino Cross-Site Scripting and HTML Injection Vulnerabilities

For some reason, there is no CVE number for this. An attacker can bypass Lotus Notes HTML encoding in a computed value by adding square ([ and ]) brackets to the beginning and end of a field for some data types. Read more at www.securityfocus.com/bid/11458.

Oracle HTTP Server isqlplus Input Validation Flaws Let Remote Users Conduct Cross-Site Scripting Attacks

Again, there is no CVE associated with this. Oracles HTTP server is based on Apache 1.3.x, and there is an XSS bug in the isqlplus script that does not properly handle the ˜action, ˜username, and ˜password parameters. An attack might look something like this: 

 http://[target]/isqlplus?action=logon&username=xyzzy%22% 3e%3cscript%3ealert('X SS')%3c/script%3e\&password=xyzzy%3cscript%3ealert('XSS')%3c/script%3e

Read more at www.securitytracker.com/alerts/2004/Jan/1008838.html.

CVE-2002-0840

An XSS vulnerability in the default error page of Apache 2.0 before 2.0.43, and 1.3.x before 1.3.26. Read more at http://cert.uni-stuttgart.de/archive/bugtraq/2002/10/msg00017.html.


Previous page
Table of content
Next page
19 Deadly Sins of Software Security. Programming Flaws and How to Fix Them
Writing Secure Code
ISBN: 71626751
EAN: 2147483647
Year: 2003
Pages: 239
Authors: Michael Howard, David LeBlanc
BUY ON AMAZON
Crystal Reports 9 on Oracle (Database Professionals)
Beginning Cryptography with Java
The Complete Cisco VPN Configuration Guide
MPLS Configuration on Cisco IOS Software
FileMaker 8 Functions and Scripts Desk Reference
Java All-In-One Desk Reference For Dummies
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy