How to Crack a Website - XSS, Cookies, Sessions 167
twistedmoney45 writes "Informit.com provides an insiders look at a real life XSS attack and how it was used to bypass the authentication scheme of an online web application, leading to "shell" access, an admin account, and more. XSS attacks are often discussed in theory — this walk through illustrates just how dangerous these types of attacks can be in reality."
So... (Score:5, Funny)
... can I crack pr0n sites with it?
(This would have even been a frosty piss if it weren't for a Slow Down Cowboy!)
Requires social engineering (Score:5, Funny)
I think this is the reason why people aren't that concerned about XSS. This requires that the attacker knows someone who has access to the web site and a way to get him to click on the link. I would certainly never click on a suspicious looking link. But sure, not everyone does that and if there are other post-login holes to get yourself into an admin, that's a problem for you too.
One thing that annoys me when discussing XSS problems and such is that people always just suggest to validate input. I've built perfectly secure PHP applications that don't validate input at all, they just don't print the output using "print" but another function that properly escapes the output. So much more easier that way than having to think about input validation for every single new field you add.
Re:I knew, but... (Score:4, Funny)
Re:Boring... (Score:1, Funny)
My favorite quote from said article:
our db stores passwords in plaintext. Yes it's stupid, but I wrote this code 3 years ago and had no clue
Meh. (Score:2, Funny)