Full Disclosure mailing list archives

Re: XSS vulnerabilities in Google.com

From: Mohit Muthanna <mohit.muthanna () gmail com>
Date: Wed, 21 Dec 2005 09:02:08 -0500

On 12/21/05, GroundZero Security <fd () g-0 org> wrote:


are we starting to post vulnerabilities in specific websites now rather than
daemons/clients etc. ?


When it's a website with a user-base as large as what Google has, yes.

When there is a possibility that user accounts can be compromised, yes.

i mean there are thousands of websites which are vulnerable to xss,sql
injection or worse because of their
custom scripts.


Sure, but "google != howardsblog.com". A large part of the population
(including myself) relies on Google's various services for day-to-day
use. I sure as hell would not feel comfortable knowing that I'm using
a service that can potentially leak my information.

If there is a vulnerability, no matter how trivial, the public needs to know.

in my opinion this should be posted to the website owners if
you feel like, but its of no real use
to the security community.


That's quite a blanket statement to make. I'm sure a few people in the
"security community" would like to know that there exists a
vulnerability in a Google service.

hm another thing i'm wondering about is, is it
legal to just audit a website without
asking the owner if its ok ?


No. But a site need not be audited to discover a bug.

how will he know its not a real attack? ok as
for xss there cant be much harm done
to the server itself,


XSS can do a lot of harm. A compromised administrator account is
generally a compromised server. There are some good XSS resources on
the web you can read up on.

The bug that was discovered by the parent poster may not lead to a
server compromise; but that is no reason to discount or underestimate
XSS.

but what if, for example, you cause a DoS through
testing certain variables for overflows ?


Then, my friend, you have discovered a bug.

Mohit.


--
Mohit Muthanna [mohit (at) muthanna (uhuh) com]
"There are 10 types of people. Those who understand binary, and those
who don't."
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

XSS vulnerabilities in Google.com Watchfire Research (Dec 21)
- Re: XSS vulnerabilities in Google.com GroundZero Security (Dec 21)
  - Re: XSS vulnerabilities in Google.com n3td3v (Dec 21)
    - Re: XSS vulnerabilities in Google.com GroundZero Security (Dec 21)
    - Re: XSS vulnerabilities in Google.com n3td3v (Dec 21)
    - Re: XSS vulnerabilities in Google.com Stan Bubrouski (Dec 21)
  - Re: XSS vulnerabilities in Google.com Mohit Muthanna (Dec 21)
    - Re: XSS vulnerabilities in Google.com GroundZero Security (Dec 21)
    - Re: XSS vulnerabilities in Google.com Romain Chantereau (Dec 21)
    - Re: XSS vulnerabilities in Google.com n3td3v (Dec 21)
    - Re: XSS vulnerabilities in Google.com GroundZero Security (Dec 21)
    - Re: XSS vulnerabilities in Google.com fok yo (Dec 21)
    - Re: XSS vulnerabilities in Google.com n3td3v (Dec 21)
    - Re: XSS vulnerabilities in Google.com Mohit Muthanna (Dec 21)
- Re: XSS vulnerabilities in Google.com Morning Wood (Dec 21)
- <Possible follow-ups>
- Re: XSS vulnerabilities in Google.com GroundZero Security (Dec 21)
  - Re: XSS vulnerabilities in Google.com n3td3v (Dec 21)

(Thread continues...)