Cross Site Scripting

Do e-commerce business with, and have webmail hosted by, secure companies only. Can someone hijack your login session through a vulnerability of their website? Obviously, this is not a client issue, but a problem within the servers.

My non-exhaustive list of examples of vulnerabilities (some may have been fixed since, but others are surely waiting to be discovered):

XSS in Oracle default fcgi-bin/echo http://lists.grok.org.uk/pipermail/full-disclosure/2010-October/076794.html
Paypal XSS Vulnerability http://lists.grok.org.uk/pipermail/full-disclosure/2010-March/073836.html
Cross-Site History Manipulation (XSHM) http://www.securityfocus.com/archive/1/509271 http://www.securityfocus.com/archive/1/509285
Twitter "swine flu" worm http://lists.grok.org.uk/pipermail/full-disclosure/2009-November/071493.html
common dns misconfiguration can lead to "same site" scripting http://www.securityfocus.com/archive/1/486606 http://www.securityfocus.com/archive/1/486724
BT Home Flub: Pwnin the BT Home Hub (5) - exploiting IGDs remotely via UPnP http://lists.grok.org.uk/pipermail/full-disclosure/2008-January/059536.html
XSS with UTF-7 in Google http://lists.grok.org.uk/pipermail/full-disclosure/2007-December/059306.html
XSS - bank of america http://lists.grok.org.uk/pipermail/full-disclosure/2007-November/058203.html
AusCERT ESB-2007.0730 -- Google Search Application XSS Vulnerability http://www.auscert.org.au/8131
Apache2 Undefined Charset UTF-7 XSS Vulnerability http://lists.grok.org.uk/pipermail/full-disclosure/2007-September/056697.html
(Not an XSS at all, but where to put this?)
Yahoo! Messenger Auth Bypass Vulnerability http://www.securityfocus.com/archive/1/463932
GMail Contact Information Disclosure PoC http://lists.grok.org.uk/pipermail/full-disclosure/2007-March/052972.html
Advisory 03/2007: Multiple Browsers Cross Domain Charset Inheritance Vulnerability http://lists.grok.org.uk/pipermail/full-disclosure/2007-February/052656.html
Overtaking Google Desktop http://lists.grok.org.uk/pipermail/full-disclosure/2007-February/052580.html http://lists.grok.org.uk/pipermail/full-disclosure/2007-February/052612.html
Fix Update: Disable Google Desktop Link Integration with IE & FireFox http://lists.grok.org.uk/pipermail/full-disclosure/2007-March/053156.html
Cold Fusion Web Server XSS 0 day http://www.securityfocus.com/archive/1/459178
Cross-site Scripting with Local Privilege Vulnerability in Yahoo Messenger http://www.securityfocus.com/archive/1/458225
Universal XSS with PDF files: highly dangerous http://lists.grok.org.uk/pipermail/full-disclosure/2007-January/051565.html
Adobe Acrobat Reader Plugin - Multiple Vulnerabilities http://lists.grok.org.uk/pipermail/full-disclosure/2007-January/051573.html
[WEB SECURITY] Universal XSS with PDF files: highly dangerous http://www.securityfocus.com/archive/1/455817
Defeating Image-Based Virtual Keyboards and Phishing Banks (fwd) http://lists.grok.org.uk/pipermail/full-disclosure/2006-November/050874.html http://lists.grok.org.uk/pipermail/full-disclosure/2006-November/050891.html
CAU-2006-0001: Myspace.com Trojaned Navigation Menu http://lists.grok.org.uk/pipermail/full-disclosure/2006-November/050746.html
Hotmail and Windows Live Mail XSS Vulnerabilities http://www.securityfocus.com/archive/1/450723
Microsoft Internet Information Services UTF-7 XSS Vulnerability [MS06-053] http://lists.grok.org.uk/pipermail/full-disclosure/2006-October/049785.html
Stealing Search Engine Queries with JavaScript http://lists.grok.org.uk/pipermail/full-disclosure/2006-September/049755.html
Major UK Bank Web Sites With Serious Security Flaws http://lists.grok.org.uk/pipermail/full-disclosure/2006-September/049701.html
Yahoo! Research Multiple vulnerabilites http://lists.grok.org.uk/pipermail/full-disclosure/2006-August/048899.html
Bypassing script filters with variable-width encodings http://www.securityfocus.com/archive/1/442904
msn.com xss http://lists.grok.org.uk/pipermail/full-disclosure/2006-August/048664.html
Hotmail/MSN Cross Site Scripting Vulnerability http://lists.grok.org.uk/pipermail/full-disclosure/2006-August/048645.html
Yahoo! Mail + Firefox Filter Bypass http://lists.grok.org.uk/pipermail/full-disclosure/2006-July/048230.html
Amazon and Msn vulnerabilities http://www.securityfocus.com/archive/1/438388
Yahoo Multiple vulnerabilities (Authentication Bypass, Session Binding, Cookie Encoding Security Weakness, Cross-Site Scripting and URL Redirection) http://lists.grok.org.uk/pipermail/full-disclosure/2006-June/047023.html
Vunerability in yahoo webmail. http://lists.grok.org.uk/pipermail/full-disclosure/2006-June/046827.html http://lists.grok.org.uk/pipermail/full-disclosure/2006-June/046831.html
Flash adverts and XSS (clickTAG revisited) http://lists.grok.org.uk/pipermail/full-disclosure/2006-June/046647.html
[Argeniss] Alert - Yahoo! Mail XSS vulnerability http://lists.grok.org.uk/pipermail/full-disclosure/2006-April/045632.html
ebay javascript injection http://lists.grok.org.uk/pipermail/full-disclosure/2006-April/045042.html
Microsoft MSN Hotmail : Cross-Site Scripting Vulnerability http://lists.grok.org.uk/pipermail/full-disclosure/2006-March/044344.html
CORE-2006-0124 Cross-Site Scripting in Verisign's haydn.exe CGI script http://www.securityfocus.com/archive/1/428267
Ebay XSS http://lists.grok.org.uk/pipermail/full-disclosure/2006-March/042621.html
Hotmail/MSN Cookie Theft Advisory/Xploit http://lists.grok.org.uk/pipermail/full-disclosure/2006-February/042518.html
Cross Site Cooking http://lists.grok.org.uk/pipermail/full-disclosure/2006-January/041828.html http://www.securityfocus.com/archive/1/423900
AOL Multiple Cross Site Scripting Vulnerability http://lists.grok.org.uk/pipermail/full-disclosure/2006-January/041163.html
AIM Multiple Cross Site Scripting Vulnerability http://lists.grok.org.uk/pipermail/full-disclosure/2006-January/041164.html
Yahoo mail Cross Site Scripting vulnerability http://lists.grok.org.uk/pipermail/full-disclosure/2005-December/040599.html
Google is vulnerable from XSS attack http://lists.grok.org.uk/pipermail/full-disclosure/2005-December/039507.html
SEC Consult SA-20050212-1 :: A Word on Webmail Security and Browser related XSS Bugs http://lists.grok.org.uk/pipermail/full-disclosure/2005-December/039462.html
[scip_Advisory 1746] Microsoft Internet Explorer 6.0 embedded content cross site scripting http://lists.grok.org.uk/pipermail/full-disclosure/2005-September/037332.html
Commonwealth Bank Cross-Site-Scripting advisory http://lists.grok.org.uk/pipermail/full-disclosure/2005-September/037137.html
Coldfusion Fusebox V4.1.0 Vulnerability http://www.securityfocus.com/archive/1/407159
OWA login redirection - Mitigation http://lists.grok.org.uk/pipermail/full-disclosure/2005-July/035357.html
WebCT 4.1 vulnerable to XSS attacks http://www.securityfocus.com/archive/1/395544
XSS vulnerabilty in ASP.Net [with details] http://www.securityfocus.com/archive/1/390751

Cross Site Scripting is often abbreviated as XSS or CSS, though the latter also means Cascading Style Sheets...

For further information on XSS see:

The Cross Site Scripting FAQ http://www.cgisecurity.com/articles/xss-faq.shtml
Cross-site scripting http://en.wikipedia.org/wiki/Cross-site_scripting
The Evolution of Cross-Site Scripting Attacks http://www.cgisecurity.com/lib/XSS.pdf
Cross-Site Tracing (XST) http://www.cgisecurity.com/lib/WH-WhitePaper_XST_ebook.pdf
XST Strikes Back http://www.securityfocus.com/archive/1/423028
The Cross-Site Request Forgery (CSRF/XSRF) FAQ http://www.cgisecurity.com/articles/csrf-faq.shtml
Information on Cross-Site Scripting Security Vulnerability http://www.microsoft.com/technet/security/news/crssite.mspx
Malicious HTML Tags Embedded in Client Web Requests http://www.cert.org/advisories/CA-2000-02.html
Understanding Malicious Content Mitigation for Web Developers http://www.cert.org/tech_tips/malicious_code_mitigation.html
XSS (Cross Site Scripting) Cheatsheet: Esp: for filter evasion - by RSnake http://ha.ckers.org/xss.html
Phishing with Super Bait http://www.whitehatsec.com/presentations/phishing_superbait.pdf

Paul Szabo psz@maths.usyd.edu.au 10 Oct 10