Full Disclosure mailing list archives
Re: on xss and its technical merit
From: "Fredrick Diggle" <fdiggle () gmail com>
Date: Wed, 12 Dec 2007 13:12:26 -0600
"All of the retards on the list will no doubt ask me for a secure session management schema but I am a firm believer that sharing is communism so screw you." Did I call that or what :D Yes you are implementing it badly. to establish session you no doubt require authentication based on some known pieces of information (username, password, etc). If you allow someone to establish a session or establish themselves as part of an existing session based solely on some piece of information (their session id) then you should not be storing that piece of information in a freaking cookie in plain text. Would you store your user's password in there? Yes its a vulnerability! and I repeat, I am not gonna lecture you on how to implement it correctly. Go read a book sir. damn communists. YAY! On Dec 12, 2007 12:47 PM, Joao Inacio <jcinacio () gmail com> wrote:
On Dec 12, 2007 6:21 PM, Fredrick Diggle <fdiggle () gmail com> wrote:What no one seems to realize is that XSS by its very nature is not a vulnerability. It is a perfectly valid mechanism to aid in exploitationbutcan anyone cite me an example where xss in and of itself accomplishes anything? I can think of pretty much 3 examples of XSS (granted without giving it much thought because lets face it it isn't worth much thought) 1. you are taking something from a user which is accessible from the scripting language context of their browser. In this case the vulnerability is not XSS the vulnerability is eitherthatyou (or the web browser) are storing something valuable in an insecureway.The most obvious example of this is something like session cookies whichifyour auth/session management is implemented in a secure way won't matterabit. It follows that the vulnerability is not XSS but instead that some developer stored something valuable in a stupid way. All of the retardsonthe list will no doubt ask me for a secure session management schemabut Iam a firm believer that sharing is communism so screw you.Sorry, but i can't see how having access to session cookies is unimportant. Even if nothing valuable is stored by the session management, there is one key factor: session cookies will grant you access to a user's session, unless other checks are in place (like the user's IP address). Take for example gmail - login, copy it's cookies to another browser and then access it from that browser - how is gmail's session management flawed? _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: on xss and its technical merit reepex (Dec 09)
- <Possible follow-ups>
- Re: on xss and its technical merit coderman (Dec 12)
- Re: on xss and its technical merit Byron Sonne (Dec 12)
- Re: on xss and its technical merit Jay (Dec 12)
- Re: on xss and its technical merit Byron Sonne (Dec 12)
- Re: on xss and its technical merit J. Oquendo (Dec 12)
- Re: on xss and its technical merit Byron Sonne (Dec 12)
- Re: on xss and its technical merit Fredrick Diggle (Dec 12)
- Re: on xss and its technical merit Joao Inacio (Dec 12)
- Re: on xss and its technical merit Fredrick Diggle (Dec 12)
- Re: on xss and its technical merit Morning Wood (Dec 13)
- Re: on xss and its technical merit Fredrick Diggle (Dec 13)
- Message not available
- Re: on xss and its technical merit Fredrick Diggle (Dec 13)
- Re: on xss and its technical merit Joao Inacio (Dec 12)
- Re: on xss and its technical merit Fredrick Diggle (Dec 12)
- Re: on xss and its technical merit Byron Sonne (Dec 12)
- Re: on xss and its technical merit Valdis . Kletnieks (Dec 12)
- Re: on xss and its technical merit Byron Sonne (Dec 13)
- Re: on xss and its technical merit Fredrick Diggle (Dec 13)