This article about Minimum Viable XSS was interesting and relevant. I recently came across a XSS vulnerability, but due to server side validation and some string truncation that was occurring, there was a very limited number of characters that could be used to exploit this XSS vulnerability. You may be led to believe that since there's only a handful of characters available for the attack that it can't be abused, but per the article linked above, you'd be wrong! With as short as 20 characters, full blown XSS could be exploited with something like the BeEF framework, you could hook a browser, and you'd be in business as a bad guy. So please, DO NOT assume that truncating output is a viable form of vulnerability remediation. And please do not take a limited character XSS vulnerability light-heartedly, instead fix it immediately.
More about neonprimetime
Top Blogs of all-time
Top Github Contributions
Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.
No comments:
Post a Comment