1

I currently have an XXS problem in this site. 

https://bbcpanningen.cupweb6.nl:1311/servlet/OMSALogin?msgStatus="><script>alert("hello")  </script>

But I don't understand how an attacker can exploit this. The sites doesn't use cookies so that might be a problem. I've read something about it, and they all said the attacker had to send a link with the XSS in it.

Anders
  • 64,406
  • 24
  • 178
  • 215
that guy
  • 668
  • 1
  • 6
  • 9
  • The URL looks like a login page, so I expect that site does use cookies. In general, if an attacker can get the victim to click a link they control, they can steal the cookies. This is an example of Reflective Cross-Site Scripting, and there's more information here: http://security.stackexchange.com/questions/19373/what-is-the-danger-of-reflected-cross-site-scripting – paj28 Nov 12 '13 at 19:47

1 Answers1

2

There are a lot of other dangers from XSS, not just stealing cookies. Your page could be defaced, data which is secured (for instance with ip-protection) can be stolen or it even can be used to do some time-based attacks on internal networks the attacked browser may be connected to.

So you definitely should have a look at the OWASP XSS Cheat Sheet to protect against things like these.

Xander
  • 35,525
  • 27
  • 113
  • 141
Tobias
  • 129
  • 3
  • 2
    Dear gentlemen, if you downvote please give at least a small comment how my answer can be improved. – Tobias Nov 13 '13 at 16:47