Full Disclosure mailing list archives
Re: XSS vulnerabilities in Google.com
From: Mohit Muthanna <mohit.muthanna () gmail com>
Date: Wed, 21 Dec 2005 09:02:08 -0500
On 12/21/05, GroundZero Security <fd () g-0 org> wrote:
are we starting to post vulnerabilities in specific websites now rather than daemons/clients etc. ?
When it's a website with a user-base as large as what Google has, yes. When there is a possibility that user accounts can be compromised, yes.
i mean there are thousands of websites which are vulnerable to xss,sql injection or worse because of their custom scripts.
Sure, but "google != howardsblog.com". A large part of the population (including myself) relies on Google's various services for day-to-day use. I sure as hell would not feel comfortable knowing that I'm using a service that can potentially leak my information. If there is a vulnerability, no matter how trivial, the public needs to know.
in my opinion this should be posted to the website owners if you feel like, but its of no real use to the security community.
That's quite a blanket statement to make. I'm sure a few people in the "security community" would like to know that there exists a vulnerability in a Google service.
hm another thing i'm wondering about is, is it legal to just audit a website without asking the owner if its ok ?
No. But a site need not be audited to discover a bug.
how will he know its not a real attack? ok as for xss there cant be much harm done to the server itself,
XSS can do a lot of harm. A compromised administrator account is generally a compromised server. There are some good XSS resources on the web you can read up on. The bug that was discovered by the parent poster may not lead to a server compromise; but that is no reason to discount or underestimate XSS.
but what if, for example, you cause a DoS through testing certain variables for overflows ?
Then, my friend, you have discovered a bug. Mohit. -- Mohit Muthanna [mohit (at) muthanna (uhuh) com] "There are 10 types of people. Those who understand binary, and those who don't." _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- XSS vulnerabilities in Google.com Watchfire Research (Dec 21)
- Re: XSS vulnerabilities in Google.com GroundZero Security (Dec 21)
- Re: XSS vulnerabilities in Google.com n3td3v (Dec 21)
- Re: XSS vulnerabilities in Google.com GroundZero Security (Dec 21)
- Re: XSS vulnerabilities in Google.com n3td3v (Dec 21)
- Re: XSS vulnerabilities in Google.com Stan Bubrouski (Dec 21)
- Re: XSS vulnerabilities in Google.com n3td3v (Dec 21)
- Re: XSS vulnerabilities in Google.com GroundZero Security (Dec 21)
- Re: XSS vulnerabilities in Google.com Mohit Muthanna (Dec 21)
- Re: XSS vulnerabilities in Google.com GroundZero Security (Dec 21)
- Re: XSS vulnerabilities in Google.com Romain Chantereau (Dec 21)
- Re: XSS vulnerabilities in Google.com n3td3v (Dec 21)
- Re: XSS vulnerabilities in Google.com GroundZero Security (Dec 21)
- Re: XSS vulnerabilities in Google.com fok yo (Dec 21)
- Re: XSS vulnerabilities in Google.com n3td3v (Dec 21)
- Re: XSS vulnerabilities in Google.com Mohit Muthanna (Dec 21)
- <Possible follow-ups>
- Re: XSS vulnerabilities in Google.com GroundZero Security (Dec 21)
- Re: XSS vulnerabilities in Google.com n3td3v (Dec 21)