This messages assumes basic knowledge about Cross-site scripting (CSS) and it's implications. For a quick summary of its implications see the bottom of this message first. I have recently done a "CSS marathon" and found _allmost_ every page I tried vulnerable within an half an hour. These include microsoft, altavista, google, cnet, time, ebay, amazon, netscape, yahoo and redhat. This list probably could have gone on forever if I had taken the time. I have contacted every one of them about this (except for yahoo and ebay because I was unable to find a contact emailaddress or feedback form; if it takes longer to find the contact info than to find the CSS, f#ck 'em) I am now awaiting their respondses. But the ease with which I CSS-ed the hell out of everyone of them got me thinking. I'm not going to be the "beta-tester" slave for the whole internet. The sites I contacted will probably just patch the one hole I found so I will probably be able to find others and what about all the sites I haven't tried yet? Maybe there should be a "general advisory" going out to every webdesigner out there that CSS is as dangerous as it is common. Feedback on the usefullness (or futility) of a "general CSS advisory" would be appreciated. Berend-Jan Wever -------------------------------------------- CSS implications By opening a specially crafted URL in the targetted user's web browser (for instance when he visits your website or reads an email you sent him). - read anything that user can read from the CSS-vulnerable site. (addressbook, personal info, etc...) - do whatever that user can do on the CSS-vulnerable site (send messages, order stuff, change personal settings and passwords) - spoof the contents of the CSS-vulnerable site (make somebody think he is looking at www.foo.com while the contents of the page actually comes from your site www.bar.com)
