|
|
|
|
VULNERABILITY
When a user is allowed to write some part of a webapp, a small web design or configuration
mistake may lead to funny things happening to the web application. This happens particularly when
a web developer tries to achieve functionality at the cost of security. There are some
prerequisites for the existence of this vulnerability:
- The webapp must allow to one to "write" at least in some part of it. For instance, a blog, or a message
board, or any site that has page/s allowing comments from users, or any similar "Web 2.0"
service. In simpler words, users must be allowed to post data that remains stored on the server
side and can be viewed by others at a later time.
- The webapp must allow the user to set 'style' attributes of the 'user submitted' image. This
happens when content submitted by a user is not properly filtered/ validated before accepting, or
if there is no provision to restrict the user from setting any style attribute of the submitted image.
This criterion is technically the same as in the case reflected by XSS but the difference is that,
essentially, there is no malicious 'script' involved as such.
|
|
|
|
|
|
|
