Full Disclosure mailing list archives
Re: on xss and its technical merit
From: Byron Sonne <blsonne () rogers com>
Date: Thu, 13 Dec 2007 10:20:15 -0500
Naysayers of XSS want some elegant exciting actions. Its not. Its a case of not sanitizing input that allows arbitrary code to be executed. Simple things like umm secure coding, url scan, mod_security, noscript could combat this easily.
That is probably the largest part of what makes it such a boring topic. The easier an attack is to defend against, probably the less exciting it is. It's hardly exciting to 'break into' someone's house through an unlocked door; there's no challenge.
Its like someone walking past a car and seeing a million dollars sitting in the front seat. Thief opens unlocked door and takes money. Now a more elegant way would be to manipulate the chemical composition of the glass back to a gaseous form and reaching through.
Ah, now THAT would be cool :)
I really dont understand why some in this community are so quick to say this is no find, this isnt new, this is <insert blah>.
You deal with this kind of crap professionally for a couple years and then tell me how excited you are to come into work in the morning just so you can pour over hours and hours of crud to make your customers happy. It's boring. There's no meat to it. It's rote. It sucks the life out of your day. I regret ever saying that nothing could be worse than writing CGI checks.
I guess it makes them feel intelluctually superior to tear down the ideas of others whether they deserve it or not. In some cases they do.
That might be part of it, who knows, for myself or maybe others. I'm not a shrink. But to me it's more about wanting to see the boundaries pushed and being exposed to new, exciting stuff.
Are members of this community so starved for their own self worth that they strive to squash the ideas of others instinctively? Would make for a interesting study.
Would probably just show that there's alot of pubescent teenagers jockeying for social position. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: on xss and its technical merit, (continued)
- Re: on xss and its technical merit Joao Inacio (Dec 12)
- Re: on xss and its technical merit Fredrick Diggle (Dec 12)
- Re: on xss and its technical merit Morning Wood (Dec 13)
- Re: on xss and its technical merit Fredrick Diggle (Dec 13)
- Message not available
- Re: on xss and its technical merit Fredrick Diggle (Dec 13)
- Re: on xss and its technical merit Joao Inacio (Dec 12)
- Re: on xss and its technical merit Fredrick Diggle (Dec 12)
- Re: on xss and its technical merit Byron Sonne (Dec 12)
- Re: on xss and its technical merit Valdis . Kletnieks (Dec 12)
- Re: on xss and its technical merit Byron Sonne (Dec 13)
- Re: on xss and its technical merit Fredrick Diggle (Dec 13)
- Message not available
- Re: on xss and its technical merit Fredrick Diggle (Dec 13)