Comments on: DIY Widgets: XSS components to other sites

By: Dr Nic

Dr Nic — Wed, 06 Dec 2006 20:44:43 +0000

I just noticed “aspx” in your comment so I assume you’re looking for an ASP.NET example. Perhaps check out AJAX.NET library?

By: Dr Nic

Dr Nic — Wed, 06 Dec 2006 20:43:18 +0000

Are you asking, “how do I generate the JavaScript based on database data?” That would be server-side specific. But you might generate the following:

var profiledata = [1,2,3,4];
MyMagicXss.serverResponse(profiledata);

By: Renzo

Renzo — Tue, 05 Dec 2006 14:31:04 +0000

Hi Dr Nic thanks for reply my comment but my answer was How to get data to database from javascript and put this value in this line
profiledata = ?????? ‘Value of DataBase’
MyMagicXss.serverResponse([â€™profiledataâ€™]);

In your example, the method requestContent contain this line:
script.src = CONTENT_URL where CONTENT_URL = “http://drnicwilliams.com/wp-content/uploads/2006/11/people_list.js”;

I could call to aspx page but how to return the data??

By: Dr Nic

Dr Nic — Tue, 05 Dec 2006 09:31:08 +0000

Yeah, that is the sort of JavaScript syntax you’d need: you’re passing any normal JavaScript value into the response method.

By: Renzo

Renzo — Mon, 04 Dec 2006 21:41:28 +0000

Hi i want to know how get data to database and put in this line:
MyMagicXss.serverResponse(['profiledata']); i don’t know please help me
Thanks. I work with c#, if you have some example with it would be perfect

By: Dr Nic

Dr Nic — Thu, 23 Nov 2006 11:38:02 +0000

@SD – I think JavaScript, and all the things you can do with it, are still new to many people. Especially with wave of people coming into the web development arena.

By: Sad Developer

Sad Developer — Thu, 23 Nov 2006 10:41:54 +0000

@Richard Ingams + @Dr Nic: I feel sarcasm (fair enough, considering that my comment was sarcasm as well)… what I am just trying to say is where is the news?
Tutorials for basic scripting and HTML are fine, but don’t put this on Ajaxian. (as Schools are fine as long as you don’t put the solution to 1+1 on the front page of newspapers)…
:)

By: Dr Nic

Dr Nic — Thu, 23 Nov 2006 09:37:28 +0000

@Kris – I agree that XSS can cause issues. I was just being brash and trying to create an interesting introduction into a longish article.

@Phill – i think yuo can run into difficulties if the 3rd party site is also loading libraries. For example, $(…) is implemented by prototype + jQuery differently. Embedding your widget in an iframe makes this clean though.

@Sad Developer – I’m still working on an article “Introducing HTML” – stay tuned.

By: Kris Zyp

Kris Zyp — Wed, 22 Nov 2006 22:22:48 +0000

And also, you did provide a nice, organized approach to doing xss, good job. Just thought people should understand what xss means as a vulnerability.

By: Kris Zyp

Kris Zyp — Wed, 22 Nov 2006 22:21:07 +0000

This statement on your site:
XSS rocks and Wikipedia is wrong
So, Wikipedia and Google differ in their thinking. Iâ€™m with Google. XSS rocks.
I do not believe this statement reflects an accurate understanding of cross site scripting as a security vulnerability. Cross site scripting is vulnerability introduced by web browsers because many sites these days allow users to input data and show that data on the website (the essense of a blog). However, if a malicious user inputs a xss script tag (as you just outlined in your article) that can be outputed by the html of the blog, and they can bring in their own JavaScript to read your cookies that might contain login information from the site you are blogging on and send it back to their own server. In practice, cross site scripting vulnerability generally refers to the vulnerability in many web applications of accepting user input data (such as the form) without doing any escaping or stripping of script tags before outputing (when you read my comments). Wikipedia is absolutely correct that this is a security vulnerability. If you have ever built an application that receives and displays user input (and wanted it to be secure), you would know that there is often some extra work that goes in to preventing these situations. However, you would be mistaken to believe that taking advantage of this cross site scripting is itself a security vulnerability. It is not inherently a security vulnerability to exploit a feature that is a security vulnerability. Google is absolutely correct in utilizing xss, and so are you.
BTW, I think that it is interesting that the browsers implementation of XmlHttpRequest prevents cross site access. It would seem there were correcting for their oversight in allowing cross site script tags.

By: Richard Ingham

Richard Ingham — Wed, 22 Nov 2006 20:12:02 +0000

>>lame article for newbiesâ€¦
Are you implying the article is lame because it is for newbies? Perhaps we should also get rid of schools, considering they’re for newbies too.

By: Sad Developer

Sad Developer — Wed, 22 Nov 2006 17:06:19 +0000

yo… this guy discovers the web… we have been doing this ever since javascripts exists (nearly)… remember hit counters?

lame article for newbies…

By: Phill Kenoyer

Phill Kenoyer — Wed, 22 Nov 2006 16:49:53 +0000

I’ve been doing it this way for years. Use the DOM to load Prototype/Script.aculo.us, CSS and my own DHTML magic.

By: Dr Nic

Dr Nic — Wed, 22 Nov 2006 15:27:23 +0000

You need to convert