tag:blogger.com,1999:blog-4298878780682526947.post1748497964398702882..comments2010-02-21T07:43:34.012+01:00Comments on Mark IJbema's Blog: Why don't people take XSS seriously?Mark IJbemahttp://www.blogger.com/profile/12619570589502015540noreply@blogger.comBlogger2125tag:blogger.com,1999:blog-4298878780682526947.post-72028363450909080982006-12-24T09:31:00.000+01:002006-12-24T09:31:00.000+01:00Thanks for your comment. Especially the point abou...Thanks for your comment. Especially the point about cookies is really one of those things I overlooked since I have been in webdevelopment for so long now...Mark IJbemahttps://www.blogger.com/profile/12619570589502015540noreply@blogger.comtag:blogger.com,1999:blog-4298878780682526947.post-89214852987103613182006-12-24T05:05:00.000+01:002006-12-24T05:05:00.000+01:00It's not a problem! Just turn Javascript off in y...It's not a problem! Just turn Javascript off in your browser! DUH!!!<br /><br />In reality, people think that XSS can only be used to falsify the URL field of the browser and that it's easy to spot such activity. Most think it's restricted to email or links you have to click on in a forum. Most people think they can identify "incorrect URL's" to avoid XSS (I'm not sure how they get this idea).<br /><br />If you tell them it can steal cookies, they don't understand that either. They think stealing cookies means that somebody is taking a peek at what is in their shopping cart. They think cookies are pieces of code that track your location and what you buy. Nobody knows that cookies contain things like session ID's, and those are encrypted anyways, right?<br /><br />People still think that anti-virus scanners will protect them from any/all malware. People still think that if they upgrade to the latest version of Internet Explorer, Firefox, or Safari that they are now safe from all past security vulnerabilities. Every time they upgrade, that means that all of the zero-day vulnerabilities are now gone until mean hackers find new zero-day exploits, which takes at least a month or two.<br /><br />Website owners don't care because they don't see the attacks. I guess this stuff just isn't on the radar yet. Until Sergey's GMail account, Wells Fargo account, and the Google HR database gets hacked in the same afternoon by some 12 year old Romanian kid and published on Slashdot - nobody is going to notice or do anything about it.Anonymousnoreply@blogger.com