<html><head><style>body{font-family:Helvetica,Arial;font-size:13px}</style></head><body style="word-wrap:break-word"><div id="bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px;color:rgba(0,0,0,1.0);margin:0px;line-height:auto">Yeah, this rang false to me too. It’s also the reason you can’t take a client with 100 applications and run a tool that spams every discovered endpoint with XSS vectors; their customers scream bloody murder when every other page starts popping an alert box.</div> <br> <div id="bloop_sign_1476214136072925184" class="bloop_sign"></div> (This comes up a lot because people who don’t do large-scale testing tend to believe XSS is something you can safely test for everywhere).<div><p class="airmail_on">On October 11, 2016 at 2:28:12 PM, Eric Schultz (<a href="mailto:fire0088@gmail.com">fire0088@gmail.com</a>) wrote:</p> <blockquote type="cite" class="clean_bq"><span><div><div></div><div>
<title></title>
<p dir="ltr">"You cannot deface websites with
cross-site-scripting"</p>
<p dir="ltr">You can with stored cross site scripting.</p>
<p dir="ltr">You if the app is also vulnerable to cross site
request forgery.</p>
<p dir="ltr">You can if you steal a privileged session and you have
network access.<br></p>
<p dir="ltr">-Eric</p>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Oct 10, 2016 11:24 AM, "Dave Aitel"
<<a href="mailto:dave.aitel@gmail.com">dave.aitel@gmail.com</a>>
wrote:<br type="attribution">
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">2 Book Reviews in this post.
<div><br></div>
<div>1. <a href="https://www.amazon.com/Lab-Girl-Hope-Jahren-ebook/dp/B00Z3FYQS4/ref=tmm_kin_swatch_0?_encoding=UTF8&qid=1476112205&sr=8-1" target="_blank">Lab Girl</a> : Probably the best book I've
read all year. Immediately go and purchase and read this. Speaks
well to the hacker spirit, but is written like poetry. </div>
<div><br></div>
<div>2. <a href="http://cybersecpolitics.blogspot.com/2016/10/book-review-cyber-war-vs-cyber-realities.html" target="_blank">http://cybersecpolitics.<wbr>blogspot.com/2016/10/book-<wbr>review-cyber-war-vs-cyber-<wbr>realities.html</a> -
Read my review please, but don't buy the book. :) I masochistically
read these books because if you don't publicly review them, they
filter into things people "know" about cyber war strategy, and make
for very painful policy meetings and Wassenaar like things. People
who write these sort of books need to write them knowing someone is
going to read them with a critical eye.</div>
<div><br></div>
<div>-dave</div>
<div><br></div>
</div>
<br>
______________________________<wbr>_________________<br>
Dailydave mailing list<br>
<a href="mailto:Dailydave@lists.immunityinc.com">Dailydave@lists.immunityinc.<wbr>com</a><br>
<a href="https://lists.immunityinc.com/mailman/listinfo/dailydave" rel="noreferrer" target="_blank">https://lists.immunityinc.com/<wbr>mailman/listinfo/dailydave</a><br>
<br></blockquote>
</div>
</div>
_______________________________________________
<br>Dailydave mailing list
<br><a href="mailto:Dailydave@lists.immunityinc.com">Dailydave@lists.immunityinc.com</a>
<br><a href="https://lists.immunityinc.com/mailman/listinfo/dailydave">https://lists.immunityinc.com/mailman/listinfo/dailydave</a>
<br></div></div></span></blockquote></div></body></html>