It seems today that Cross-Site Scripting (XSS) holes in popular web applications are being discovered and disclosed at an ever- increasing rate. Just glancing at the Bugtraq security mailing list archives at http://online.securityfocus.com/archive/1 over the first half of 2002 shows countless postings of XSS holes in widely used websites and applications. This new iDEFENSE Labs paper predicts that fully and semi- automated techniques will aggressively begin to emerge for targeting and hijacking web applications using XSS, thus eliminating the need for active human exploitation. Some of these techniques are detailed along with solutions and workarounds for web application developers and users. It is available at http://www.idefense.com/XSS.html for download. To gain a good foundation on XSS from a beginner's perspective, zeno of cgisecurity.com has also just released a great FAQ today available at: http://www.cgisecurity.com/articles/xss-faq.shtml Some of the concepts in the iDEFENSE Labs paper may be better understood after reading this FAQ. -dave David Endler, CISSP Director, iDEFENSE Labs 14151 Newbrook Drive Suite 100 Chantilly, VA 20151 voice: 703-344-2632 fax: 703-961-1071 dendler@idefense.com www.idefense.com