Full Disclosure mailing list archives
RE: Re: New Web Vulnerability - Cross-Site Tracing
From: "Richard M. Smith" <rms () computerbytesman com>
Date: Thu, 23 Jan 2003 17:48:08 -0500
Steven, Do you know of any cases of cross-site scripting being used in the real world? I looked around last fall some and couldn't find any examples being reported. XSS errors are real easy to make, so it is not surprising they are the 2nd most frequently reported vulnerability. Richard -----Original Message----- From: full-disclosure-admin () lists netsys com [mailto:full-disclosure-admin () lists netsys com] On Behalf Of Steven M. Christey Sent: Thursday, January 23, 2003 5:18 PM To: bugtraq () securityfocus com; webappsec () securityfocus com; vulnwatch () vulnwatch org; full-disclosure () lists netsys com Subject: [Full-disclosure] Re: New Web Vulnerability - Cross-Site Tracing
The XSS plague? The only XSS plague I know of is on Bugtraq and other disclosure mailing lists. Is anyone else sick of seeing posts about XSS problems in PHP applications that runs on a total of five sites?
XSS (including "HTML injection" for those who make such distinctions) was the 2nd most frequently reported vulnerability last year, behind buffer overflows, based on CVE statistics. Many people still seem to think XSS is just about cookie theft. While there may not be many publicly reported exploits of XSS issues, or of web client vulnerabilities in general, it seems likely that applications will become a more attractive target to hackers as it gets more difficult to break into servers. The fact that XSS frequently shows up in obscure applications is an indicator of how programmers are poorly trained with respect to this type of issue. (I know the state of things is bad in general, but more programmers probably know about buffer overflows than XSS). Personally, I'm glad to see the contributions made by up-and-coming vulnerability auditors who get their start by auditing easier targets. They help to demonstrate how widespread the problems are while educating the affected developers in the process, who hopefully will not make the same mistakes again.
Code Red was a plague. Melissa was a plague.
Agreed; however, XSS worms have been theorized (see [1] for one variant), and widely deployed XSS-vulnerable applications like bulletin boards could be an unfortunate breeding ground. - Steve [1] http://online.securityfocus.com/archive/107/302027/2002-11-29/2002-12-05 /0 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: New Web Vulnerability - Cross-Site Tracing Jeremiah Grossman (Jan 22)
- <Possible follow-ups>
- Re: New Web Vulnerability - Cross-Site Tracing xss-is-lame (Jan 22)
- Re: New Web Vulnerability - Cross-Site Tracing Jeremiah Grossman (Jan 22)
- Re: New Web Vulnerability - Cross-Site Tracing Tim Greer (Jan 22)
- Re: New Web Vulnerability - Cross-Site Tracing Jeremiah Grossman (Jan 22)
- Re: New Web Vulnerability - Cross-Site Tracing Tim Greer (Jan 22)
- Re: New Web Vulnerability - Cross-Site Tracing Jeremiah Grossman (Jan 22)
- Re: New Web Vulnerability - Cross-Site Tracing H D Moore (Jan 23)
- Re: Re: New Web Vulnerability - Cross-Site Tracing zeno (Jan 23)
- Re: Re: New Web Vulnerability - Cross-Site Tracing Thor Larholm (Jan 23)
- RE: Re: New Web Vulnerability - Cross-Site Tracing Richard M. Smith (Jan 23)
- Re: Re: New Web Vulnerability - Cross-Site Tracing Michal Zalewski (Jan 24)