Cross Site Scripting like any security risk can be mitigated (once we realize the risks to look for infections ( and/or identify the abberant sites or behavior that incurred contagion [for XSS Tunnels]). XSS allows us to inject HTML, iFrame, javascript, or a redirect into a website, where content checking is insufficient. Many versions of Apache httpd are vulnerable to XSS and there are many types of XSS tricks. CheatSheet for creating XSS Test LABS: http://ha.ckers.org/xss.html Good Video Descriptions [Full Disclosure]: (Persistent and Non-persistent) http://www.youtube.com/watch?v=WZCXIrW0xZ0 http://www.youtube.com/watch?v=JBpG2fie_aA XSS Tunnels [Full Disclosure]: http://www.youtube.com/watch?v=Vg7lhW http://www.youtube.com/watch?v=Cevlym76CWI http://www.youtube.com/watch?v=OkiMTqYD1_Q Other Demonstrations: FaceBook: http://www.youtube.com/watch?v=l-9T40Ru7W8 MySpace: http://www.youtube.com/watch?v=ZP324qmNTjY Other Known XSS sites: Dec 2008 American Express: http://www.theregister.co.uk/2008/12/20/american_express_website_bug_redux/ Nov 2007 (including fbi.gov): http://blogs.securiteam.com/index.php/archives/1030 Friendster: http://www.lifedork.com/friendster-xss-bug-friendster-is-vulnerable-to-xss-again.html http://www.owasp.org/index.php/Top_10_2007-A1 Forensics & Defense: http://www.owasp.org/index.php/Cross-site_Scripting_(XSS) Microsoft: DOM Based Cross Site Scripting, http://www.webappsec.org/projects/articles/071105.shtml .NET Anti-XSS Library - http://www.microsoft.com/downloads/details.aspx?FamilyID=efb9c819-53ff-4f82-bfaf-e11625130c25&DisplayLang=e WebGoat on BackTrack3 Demonstration: http://www.youtube.com/watch?v=femI7IMP8hw XSS-ME: http://www.securitycompass.com/exploitme.shtml www.Obnosis.com | http://en.wiktionary.org/wiki/Citations:obnosis | hackfest.obnosis.com (503)754-4452 January PLUG HackFest = Kristy Westphal, AZ Department of Economic Security Forensics @ UAT 1/10/09 12-3PM Take the Black [Linux BT3] Pill & leave SecurityMatrix, or take the Blue [XP/Vista Pill] & stay happily ignorant. _________________________________________________________________ Life on your PC is safer, easier, and more enjoyable with Windows Vista®. http://clk.atdmt.com/MRT/go/127032870/direct/01/