Full Disclosure mailing list archives
Re: on xss and its technical merit
From: coderman <coderman () gmail com>
Date: Wed, 12 Dec 2007 04:17:10 -0800
so who won? can we argue about CSRF yet? perhaps an interlude with 0day or !0day moderated by Gadi... On Nov 5, 2007 12:00 AM, pdp (architect) <pdp.gnucitizen () googlemail com> wrote:
comments inlined
hey look i top posted <pdp> we are not talking about whether XSS is suitable for all kinds of <pdp> attacks. We are talking about the technical merits of XSS. so some exploit techniques are impressive on their own, regardless of any other context, like check heaps evasion. suitable for very little/few real world attacks, but still worthwhile / notable. <pdp> There are XSS script kiddies as well Buffer Overflow script kiddies. <pdp> Just because you can find XSS does not mean that you've done something <pdp> amazing and extraordinary. so xss needs more than just to exist. it needs to be unique or notable among xss, perhaps by leveraging for escalation, or previously unknown vector to deliver it... <pdp> BTW, it does look like an achievement when you find a XSS inside an <pdp> application that 1000 more people play with (look for similar bugs) on <pdp> a daily basis. XSS in some small apps are stupid. XSS on the default <pdp> Google Search Interface is as valuable as remotely exploitable buffer <pdp> overflow for Linux 2.6.x kernels (distribution independent). a researcher discovers an xss vector in a google service, it is likely notable and/or interesting because they protect against (most) known attacks. this can be a useful metric. "is your xss against google, microsoft, yahoo, ebay? if not, think twice about its merit..." <reepex> yes and i guess bad for you is that the only xss you really see posted (fd, <reepex> milw0rm, security focus) is people posting <script>alert('hi')</script> i thought it was <script>alert('XSS')</script> ... oh hey, if you see message "XSS" you got pwnies and i get credit. ok? ok! to help the cause, consider this snippet: - doRequest() is your usual ajax helper provided by target site/service - /account/doreset is the URL for service that provides "reset my account" feature - doreset uses ok to confirm user action, "are you sure?" ok=1 <DIV STYLE="width: expression(doRequest('/account/doreset?ok=1&session='+document.cookie.substring(10,36),'GET')+doRequest('logout','GET')+alert('OMG pwnies'));"> some fun details: the confirm reset action requires the session cookie to verify against in attempt to avoid easy CSRF and friends. the usual script elements are heavily filtered by service, but hey, IE is friendly with expression that squeaks through form filter... end result: target account reset, logged off, and browser displays endless popups until they kill or reboot. this is more than <script>alert('XSS')</script>, but still not fucking check heaps. btw, same snippet to pull session cookie can be used for session hijack (read according to same origin, post to anywhere for pick up and hijack...) is hijacking of active session more interesting? perhaps... you get the picture. by now, all the low hanging fruit for xss is eaten. so perhaps "xss should be discussed much less" is the only concrete thing we all agree on? <reepex> also (unless im missing) something in another email you mentioned like 15 <reepex> different kinds of xss which I am sure are all interesting in their own way <reepex> but the most you can get out of them is simple browser games. <pdp> As I said, this is not the case. Chrome based XSS, we covered a few in <pdp> the XSS book I believe, are very different, for example. In some case <pdp> the XSS vector resides inside a Sandbox. Now you need to find a way to <pdp> get out of the sandbox and and as such reaching again the browser <pdp> internals. Flash based XSS can lead to a lot of damages especially <pdp> when combined with something like desktop AIR applications which are <pdp> granted with full control over the client machine. AIR also can run <pdp> HTML pages which also can lead to evalated privilages and as such <pdp> access to the system. What about desktop and mobile Widgets? back to uniqueness / clever method, all of which these many are now old news. they were legitimately discussed when discovered. no need to hash over the same tricks... next xss post to FD better be new and sexy or reepex shoots you in the face. criteria for xss vuln poster to live: if xss... - is in major site / service AND/OR - uses previously unknown vector for attack AND/OR - is combined with other methods for impressive result ...you get to live. for today... all those in favor let this thread die in silence. the aye's have it. meeting adjourned. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: on xss and its technical merit reepex (Dec 09)
- <Possible follow-ups>
- Re: on xss and its technical merit coderman (Dec 12)
- Re: on xss and its technical merit Byron Sonne (Dec 12)
- Re: on xss and its technical merit Jay (Dec 12)
- Re: on xss and its technical merit Byron Sonne (Dec 12)
- Re: on xss and its technical merit J. Oquendo (Dec 12)
- Re: on xss and its technical merit Byron Sonne (Dec 12)
- Re: on xss and its technical merit Fredrick Diggle (Dec 12)
- Re: on xss and its technical merit Joao Inacio (Dec 12)
- Re: on xss and its technical merit Fredrick Diggle (Dec 12)
- Re: on xss and its technical merit Morning Wood (Dec 13)
- Re: on xss and its technical merit Fredrick Diggle (Dec 13)
- Message not available
- Re: on xss and its technical merit Fredrick Diggle (Dec 13)
- Re: on xss and its technical merit Joao Inacio (Dec 12)