A little while ago I was trying to convince an application owner that they needed to prioritise an XSS vulnerability. It was on a critical, public facing application with a large user base.
The argument was that it was a medium vulnerability, cookies were adequately protected and according to the companies SLAs it had to be actioned within 30 days. I felt that the potential impact of this vulnerability was a lot higher. So, I went to work.
Continue reading...
