On the vulnerabilities of web services

["Fabio Pietrosanti (naif)" <lists () infosecurity ch>]

I have no time to write a detailed post on the issues related with the
guys that are recently releasing bugs of web services.

I would like someone analyze the implications, differences in terms of
community advantages, people risks, technology enhancements related with
the disclosure of vulnerabilities of web services (misc websites of
railways, internet providers, public agencies, search engines and
webmails) VS the disclosure of vulnerabilities in standalone pieces of
software.

I don't like the public disclosure of XSSs and SQL Injections (and stuff
like that) on third party web sites, i don't consider it useful for
anyone, too risky for the 'researcher' and too risky for the third party
websites.

Only in July there was a storm of fucking websites vulnerabilities
announcements:

- http://seclists.org/fulldisclosure/2007/Jul/0457.html TRENITALIA.COM
- http://seclists.org/fulldisclosure/2007/Jul/0460.html STATCOUNTER.COM
- http://seclists.org/fulldisclosure/2007/Jul/0437.html ACTUAL TESTS
- http://seclists.org/fulldisclosure/2007/Jul/0296.html ORKUT
- http://seclists.org/fulldisclosure/2007/Jul/0187.html Wachovia Bank
- http://seclists.org/fulldisclosure/2007/Jul/0035.html blinzzard.com
- http://seclists.org/fulldisclosure/2007/Jul/0036.html WORLDOFWARCRAFT.COM

Hey guys, do you feel yourself cooler than before, now?

-naif

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/