Full Disclosure mailing list archives
Re: on xss and its technical merit
From: "Joao Inacio" <jcinacio () gmail com>
Date: Wed, 12 Dec 2007 18:47:02 +0000
On Dec 12, 2007 6:21 PM, Fredrick Diggle <fdiggle () gmail com> wrote:
What no one seems to realize is that XSS by its very nature is not a vulnerability. It is a perfectly valid mechanism to aid in exploitation but can anyone cite me an example where xss in and of itself accomplishes anything? I can think of pretty much 3 examples of XSS (granted without giving it much thought because lets face it it isn't worth much thought) 1. you are taking something from a user which is accessible from the scripting language context of their browser. In this case the vulnerability is not XSS the vulnerability is either that you (or the web browser) are storing something valuable in an insecure way. The most obvious example of this is something like session cookies which if your auth/session management is implemented in a secure way won't matter a bit. It follows that the vulnerability is not XSS but instead that some developer stored something valuable in a stupid way. All of the retards on the list will no doubt ask me for a secure session management schema but I am a firm believer that sharing is communism so screw you.
Sorry, but i can't see how having access to session cookies is unimportant. Even if nothing valuable is stored by the session management, there is one key factor: session cookies will grant you access to a user's session, unless other checks are in place (like the user's IP address). Take for example gmail - login, copy it's cookies to another browser and then access it from that browser - how is gmail's session management flawed? _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: on xss and its technical merit reepex (Dec 09)
- <Possible follow-ups>
- Re: on xss and its technical merit coderman (Dec 12)
- Re: on xss and its technical merit Byron Sonne (Dec 12)
- Re: on xss and its technical merit Jay (Dec 12)
- Re: on xss and its technical merit Byron Sonne (Dec 12)
- Re: on xss and its technical merit J. Oquendo (Dec 12)
- Re: on xss and its technical merit Byron Sonne (Dec 12)
- Re: on xss and its technical merit Fredrick Diggle (Dec 12)
- Re: on xss and its technical merit Joao Inacio (Dec 12)
- Re: on xss and its technical merit Fredrick Diggle (Dec 12)
- Re: on xss and its technical merit Morning Wood (Dec 13)
- Re: on xss and its technical merit Fredrick Diggle (Dec 13)
- Message not available
- Re: on xss and its technical merit Fredrick Diggle (Dec 13)
- Re: on xss and its technical merit Joao Inacio (Dec 12)
- Re: on xss and its technical merit Fredrick Diggle (Dec 12)
- Re: on xss and its technical merit Byron Sonne (Dec 12)
- Re: on xss and its technical merit Valdis . Kletnieks (Dec 12)
- Re: on xss and its technical merit Byron Sonne (Dec 13)