http://ccc.domaindlx.com/osamabinscapegoat...tacks%20FAQ.pdf

Comments Please.

Took a quick look through,
Looks good as far as I read

For the users here is a table of contents:

Introduction
What Are XSS Attacks?
Script Injection & XSS
What Can Attackers Do With XSS?
An Attack Scenario
Hunting Down Vulnerable Sites
Examples of XSS Exploits & Vulnerabilities
Encoding Attack URL's
How Can I Protect Myself Against XSS Attacks?
What Can I The Vendor Do?
Conclusion
Vendor Information
Greetz To
About The Author
DISCLAIMER

hey hey, from a guy who doesnt know xss well that was a pretty good article. If its just as simple as checking which characters are allowed in userinput then that seems like an ok comprimise, wouldnt want to be the one going through the major Content Managment Systems code putting the checks in place....

Excellent FAQ, I've been messing with XSS the past days, and almost every site got them, latest I found was a very popular search engine. It can be a littel tricky in the beginning, but by looking though the sourcecode every time you try another method, you can get the feeling on how to manage to exploit it, like if you need a " there and > there..

Its a nice litle article about Xss and i think it will be useful for alot of people who dont really know what xss is. i'm sure it will clarify alot of things for those people.

thanks for the contribution aelphaeis_mangarae

nice read .... recommended you to be upgraded bud

Suggestion:
Keep the title fonts serif but make the text itself sanserif. Sanserif fonts are easier on the eyes and when the paper is printed, will look better.

Everything else looks great!

hey aelphaeis_mangarae,
great tut. however i will read it more carefully and post back with some sugestions, more things can be said / explained in the world of Script Injection, XSS, SQL Injection, HTML Injection and all other stuff ended in Injection.
I do not meat to say anything bad about your faq(lack of better sentence terrible english,sorry) it's great but i think i can help you improve it a bit.
Right now i'm kind of busy finishing schoool, graduation... the drill but as soon as i get some spare time i'll "brush up " my SQL Injection mini-HOWTO that i've been writing for some time and if you agree maybe a "merge" can be done, and a more comprehensive how-to made available for the ppl of GSO and/or the world.

Plz reply...
i promise i'll read the full doc later.. tomorow maybe.

Yeh...I love Courier New though....my teachers at school are like

"What is it with you and that Font!"

My next paper will be written in Sans Serief...

pedropalmeiro....contact me

adm1n1strat10n AT hotmail DOT com

MSN or Email...

ICQ: 314-202-259

Yahoo: aelphaeis_mangarae88 AT yahoo DOT com

n1 paper indeed
i have already read some of this papers, would be interessesting how
"steal.cgi" looks like, because there are different ways of it.

for mine i have writeen such steal script in php, which will insert the document.cookie in my db, and send them to my email..

when anyone is interessed to TRADE then pm or contact me

sc0pe