Sometimes, folks just don’t get it. I found this posting from early Oct this morning.
From Hydrapinion:
Ummm… HTML injection? XSS? These aren’t “hacks”… Data on the actual web-server isn’t modified by these so-called “attacks”. The only way to get someone to see the modified version of the page is to send them a carefully crafted link which merges content of the target pages with something else you’ve set up elsewhere. Alternatively, the extra content, like text, could be embedded in the link.
But it requires user intervention — they have to click on that link!
To suggest the Lib’s web-server was hacked is misleading in the EXTREME. Also, XSS attacks do not allow “data to be sent to a user’s computer” unless you’ve tricked someone into clicking a link and THEN exploited a vulnerability on the user’s side, for example a browser bug. But you still need the user to click on the link in the first place.
And this isn’t a “hack”? Kevin Mitnick has built a career on hacking people. XSS is oft underestimated as an attack vector. Wade Alcorn wrote a great application that uses the web browser as an attack platform called BeEF. To say nothing of the contributions of folks such as RSnake, Jeremiah Grossman, pdp and Billy Hoffman. We have even seen XSS malware and surely more will follow.
Tags: XSS, XSS Exploits, XSS Threats
