Full Disclosure mailing list archives

Re: on xss and its technical merit

From: Byron Sonne <blsonne () rogers com>
Date: Thu, 13 Dec 2007 10:20:15 -0500

Naysayers of XSS want some elegant exciting actions.
Its not. Its a case of not sanitizing input that allows
arbitrary code to be executed. Simple things like umm
secure coding, url scan, mod_security, noscript could
combat this easily.


That is probably the largest part of what makes it such a boring topic.
The easier an attack is to defend against, probably the less exciting it
is. It's hardly exciting to 'break into' someone's house through an
unlocked door; there's no challenge.

Its like someone walking past a car and seeing a million
dollars sitting in the front seat. Thief opens unlocked
door and takes money. Now a more elegant way would be
to manipulate the chemical composition of the glass back
to a gaseous form and reaching through.


Ah, now THAT would be cool :)

I really dont understand why some in this community are
so quick to say this is no find, this isnt new, this is
<insert blah>.


You deal with this kind of crap professionally for a couple years and
then tell me how excited you are to come into work in the morning just
so you can pour over hours and hours of crud to make your customers
happy. It's boring. There's no meat to it. It's rote. It sucks the life
out of your day. I regret ever saying that nothing could be worse than
writing CGI checks.

I guess it makes them feel intelluctually
superior to tear down the ideas of others whether they
deserve it or not. In some cases they do.


That might be part of it, who knows, for myself or maybe others. I'm not
a shrink. But to me it's more about wanting to see the boundaries pushed
 and being exposed to new, exciting stuff.

Are members of
this community so starved for their own self worth that
they strive to squash the ideas of others instinctively?
Would make for a interesting study.


Would probably just show that there's alot of pubescent teenagers
jockeying for social position.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Re: on xss and its technical merit, (continued)
- - Re: on xss and its technical merit Joao Inacio (Dec 12)
    - Re: on xss and its technical merit Fredrick Diggle (Dec 12)
  - Re: on xss and its technical merit Morning Wood (Dec 13)
    - Re: on xss and its technical merit Fredrick Diggle (Dec 13)
    - Message not available
    - Re: on xss and its technical merit Fredrick Diggle (Dec 13)
- Re: on xss and its technical merit Jay (Dec 12)
  - Re: on xss and its technical merit Fredrick Diggle (Dec 12)
  - Re: on xss and its technical merit Byron Sonne (Dec 12)
    - Re: on xss and its technical merit Valdis . Kletnieks (Dec 12)
- Re: on xss and its technical merit Jay (Dec 13)
  - Re: on xss and its technical merit Byron Sonne (Dec 13)
  - Re: on xss and its technical merit Fredrick Diggle (Dec 13)
    - Message not available
    - Re: on xss and its technical merit Fredrick Diggle (Dec 13)