Full Disclosure mailing list archives
Re: on xss and its technical merit
From: "Jay" <jay.tomas () infosecguru com>
Date: Wed, 12 Dec 2007 11:06:47 -0500
I would say that XSS or CSRF is a means to an end. Its not that you can XSS is what you do with once you find it. Its not a sexy beast that you can blog about but it an attack vector none the less. The simpler the attack the greater the success. So yeah it takes little skill to find. It take equally little skill to securely code the app to sanitize in the first place. If an app is vuln to XSS chances are the rest of the app is crap anyways... Jay ----- Original Message ----- From: Byron Sonne [mailto:blsonne () rogers com] To: coderman () gmail com,full-disclosure () lists grok org uk Sent: Wed, 12 Dec 2007 09:48:07 -0500 Subject: Re: [Full-disclosure] on xss and its technical merit coderman wrote:
so perhaps "xss should be discussed much less" is the only concrete thing we all agree on?
FTW It's pretty obvious that finding XSS has a low entrance barrier; this explains its popularity. It's just not very impressive. At the same time, if finding an xss gets some kid interested in security, then I suppose it can't be all bad. In any case, wikipedia has something interesting on this, I never thought about how to categorize them, but then again, I usually start vomiting from boredom at the mere site of the word 'xss' in a subject line.
From http://en.wikipedia.org/wiki/Xss, take it as you will:
Type 0 This form of XSS vulnerability has been referred to as DOM-based or Local cross-site scripting, and while it is not new by any means, a recent paper (DOM-Based cross-site scripting) does a good job of defining its characteristics. With Type 0 cross-site scripting vulnerabilities, the problem exists within a page's client-side script itself. Type 1 This kind of cross-site scripting hole is also referred to as a non-persistent or reflected vulnerability, and is by far the most common type. These holes show up when data provided by a web client is used immediately by server-side scripts to generate a page of results for that user. If unvalidated user-supplied data is included in the resulting page without HTML encoding, this will allow client-side code to be injected into the dynamic page Type 2 This type of XSS vulnerability is also referred to as a stored or persistent or second-order vulnerability, and it allows the most powerful kinds of attacks. It is frequently referred to as HTML injection. A type 2 XSS vulnerability exists when data provided to a web application by a user is first stored persistently on the server (in a database, filesystem, or other location), and later displayed to users in a web page without being encoded using HTML entities. Cheers, B _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: on xss and its technical merit reepex (Dec 09)
- <Possible follow-ups>
- Re: on xss and its technical merit coderman (Dec 12)
- Re: on xss and its technical merit Byron Sonne (Dec 12)
- Re: on xss and its technical merit Jay (Dec 12)
- Re: on xss and its technical merit Byron Sonne (Dec 12)
- Re: on xss and its technical merit J. Oquendo (Dec 12)
- Re: on xss and its technical merit Byron Sonne (Dec 12)
- Re: on xss and its technical merit Fredrick Diggle (Dec 12)
- Re: on xss and its technical merit Joao Inacio (Dec 12)
- Re: on xss and its technical merit Fredrick Diggle (Dec 12)
- Re: on xss and its technical merit Morning Wood (Dec 13)
- Re: on xss and its technical merit Fredrick Diggle (Dec 13)
- Message not available
- Re: on xss and its technical merit Fredrick Diggle (Dec 13)
- Re: on xss and its technical merit Joao Inacio (Dec 12)
- Re: on xss and its technical merit Fredrick Diggle (Dec 12)