WebApp Sec mailing list archives
RE: [Full-disclosure] Re: [WEB SECURITY] Cross Site Scripting in Google
From: <PPowenski () oag com>
Date: Tue, 11 Jul 2006 14:30:25 +0100
As long as there are NO RULES i.e. standards which companies MUST adhere to in order to ensure an application is built for suitability for purpose and a basic set of security principles the current state of software development will continue. There will be those large software vendors which will bend to pressure from large corporations but without a LEGAL framework the huge numbers of small to middle size applications vendors who would prefer smoke and mirrors will continue with that theme since it is zero cost. -----Original Message----- From: tcp fin [mailto:inet_inaddr () yahoo com] Sent: 11 July 2006 05:30 To: Martin O'Neal; drfrancky () securax org; RSnake Cc: bugtraq () cgisecurity net; full-disclosure () lists grok org uk; bugtraq () securityfocus com; webappsec () securityfocus com; websecurity () webappsec org Subject: RE: [Full-disclosure] Re: [WEB SECURITY] Cross Site Scripting in Google Hey Martin , I agree with u partly but there are vendors out there in the market who has Dont know DOnt care attitude. If thats the case after idetifying and exploiting the vulnerability in the same vendor product , I personally would not like to waste my and your time with vendor who did not give us fav response before. I would refrain from taking names but I have seen that happening in the past and still some of those vul are existing in those products. However no one can deny Full Disclosure with responsibility the responsible Disclosure !!! Regards, TCP-FIN --- Martin O'Neal <martin.oneal () corsaire com> wrote:
my opinion is that full disclosure is not forvendors ..it's for users. full disclosure is for us to knowhow toreact on certain threads.Which is just fine if you are technically competent to understand the threat, and there is also a valid mitigating strategy you can employ immediately. For the vast majority of situations though, this just isn't the case. The users are not technically competent enough to understand the true threat posed by an entry on a news group (which are generally hopelessly incomplete and/or factually inaccurate) and then this is coupled with a vulnerable product that may be essential, difficult to protect, and a stable official fix that may be weeks or months away from delivery. I personally also believe in full disclosure, but it has to be delivered in a responsible fashion. Dispatching vulnerabilities to a public list without even attempting to contact the vendor is clearly not in the best interest of the vendors nor the great majority of the user base. Martin...
----------------------------------------------------------------------
CONFIDENTIALITY: This e-mail and any files transmitted with it are confidential and intended solely for the use of the recipient(s) only. Any review, retransmission, dissemination or other use of, or taking any action in reliance upon this information by persons or entities other than the intended recipient(s) is prohibited. If you have received this e-mail in error please notify the sender immediately and destroy the material whether stored on a computer or otherwise.
----------------------------------------------------------------------
DISCLAIMER: Any views or opinions presented within this e-mail are solely those of the author and do not necessarily represent those of Corsaire Limited, unless otherwise specifically stated.
----------------------------------------------------------------------
Corsaire Limited, 3 Tannery House, Tannery Lane, Send, Surrey, GU23 7EF Telephone: +44(0)1483-226000 Email:info () corsaire com
------------------------------------------------------------------------ -
Sponsored by: Watchfire Securing a web application goes far beyond testing the application using manual processes, or by using automated systems and tools. Watchfire's "Web Application Security: Automated Scanning or Manual Penetration Testing?" whitepaper examines a few vulnerability detection methods - specifically comparing and contrasting manual penetration testing with automated scanning tools. Download it today!
https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008Vmm
------------------------------------------------------------------------ --
__________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ------------------------------------------------------------------------ - Sponsored by: Watchfire Cross-Site Scripting (XSS) is one of the most common application-level attacks that hackers use to sneak into web applications today. This whitepaper will discuss how traditional CSS attacks are performed, how to secure your site against these attacks and check if your site is protected. Cross-Site Scripting Explained - Download this whitepaper today! https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008Vmr ------------------------------------------------------------------------ -- This e-mail is intended for the named recipient(s). It and any attachments may contain privileged and/or confidential information. They may not be disclosed to or used by or copied in any way by anyone other than the intended recipient. If you are not one of the intended recipients, or this email is received in error, please immediately either notify the sender or contact OAG Worldwide Limited on +44 (0) 1582 600111 quoting the name of the sender and the email address to which it has been sent and then delete it and any attachment(s). While all reasonable efforts are made to safeguard inbound and outbound e-mails, OAG Worldwide Limited and its affiliate companies cannot guarantee that attachments do not contain any viruses or are compatible with your systems, and does not accept liability in respect of viruses or computer problems experienced. Neither OAG Worldwide Limited nor the sender accepts any responsibility for viruses and it is your responsibility to scan or otherwise check this email and any attachments. OAG Worldwide Limited may monitor or record outgoing and incoming e-mail to secure effective system operation and for other lawful purposes. By replying to this email you give your consent to such monitoring. Thank you. OAG Worldwide Limited is a company registered in England and Wales (registered number 4226716), with its registered office at Church Street, Dunstable, Bedfordshire, LU5 4HB, United Kingdom. ------------------------------------------------------------------------- Sponsored by: Watchfire Cross-Site Scripting (XSS) is one of the most common application-level attacks that hackers use to sneak into web applications today. This whitepaper will discuss how traditional CSS attacks are performed, how to secure your site against these attacks and check if your site is protected. Cross-Site Scripting Explained - Download this whitepaper today! https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008Vmr --------------------------------------------------------------------------
Current thread:
- RE: [Full-disclosure] Re: [WEB SECURITY] Cross Site Scripting in Google Martin O'Neal (Jul 06)
- <Possible follow-ups>
- RE: [Full-disclosure] Re: [WEB SECURITY] Cross Site Scripting in Google PPowenski (Jul 11)