Re: on xss and its technical merit

[reepex <reepex () gmail com>]

On Nov 4, 2007 2:41 PM, pdp (architect) <pdp.gnucitizen () googlemail com>
wrote:

> 1) XSS isnt techincal no matter how its used
>
> Also, as buffer overflows and other attacks, which are more or less
> related to them, attackers need to take into consideration the
> execution flow and as such make the attack stealthier.


I agree with this on a very high level but not in actual application. Having
limited chars in a xss isnt really comparable to having limited characters
in a buffer overflow.  having A-Za-z0-9 in xss only limits what scripting
elements you can use while the same for bin exploiting makes you rely only
on opcodes and addresses in that range. Writing alpanumeric shellcode
compared to writing limited xss ( esp with the ease you can redirect to
other pages and thus not be limited at all ) is not even a close comparison
technically.

Also "controlling execution flow" of a browser which you only control
javascript or similar is no where near as challenging as having to control
the execution of a binary or even moreso a kernel after you have destroyed
much of its data and have to repair it to a usable state after.



> 2) people who use xss on pentests/real hacking/anything but phishing
>
> XSS is bar far the only way to run untrusted code within the origins of a
> trusted domain
> without having a browser vulnerability on first place. SQL Injection
> and file inclusion attacks still exists, I deal with them on a daily
> basis, but the attack surface is largely mitigated by various types of
> frameworks which power most of the modern applications. However, why
> do you need SQL Injection when you can perform the needed action on
> behalf of the user by using XSS? It is safer and a lot stealthier. If
> you want to change someones details or want to get some data out, XSS
> is completely valid type of attack.


With software (bin) vulns you arent only relying on a user or browser or
anything. you have vulnerabilities in the server software or perimeter
devices so you are cutting out any "user interaction" ( which is a very
important thing ), but maybe i am caring too much about your wording of "bar
far the only".

also with xss you are limited to the tasks that web application can do
unlike full control of the server which allows you to do whatever you want
and allows for much deeper penetration into the network.



> the people I've seen who use XSS today, have a vast background on
> traditional attack techniques. though, their number is very small
> mainly because the topic hasn't reached the level of maturity as other
> topics already have.


We must know different people because the people i know that tout xss are
people that found out about xss and sql injection and have never moved on
and consider themselves 'security professionals'


> Not true. If you don't know, XSS is a top priority today. It is
> present on almost all websites/application. I am not sure who you are
> working for and whether you are doing any pentesting but I can tell
> you something: people are interested in XSS and they are afraid of it.
> I must say that there is a huge gap of knowledge and understandings
> that needs to be filled but the situation is getting better with every
> single day. Today, companies are interested in Web2.0. They are
> interested of the impact this technology will have on their
> organization. There are numerous of things corporate people worry
> about when it comes to it. XSS is one of them.

 ok and this is a technical debate not about people getting ripped off which
is what businesses care about.  just because xss affects businesses alot
does not make it anymore technical or worthwhile to 'research'


> I used to rate XSS as low sometimes as medium risk two years ago.
> Today, if they are unauthenticated, I rate them as HIGH. Why? Open
> your eyes. XSS is not only about getting the victim running some code.
> There are a number of things you can do. Do you know that if CNN has
> XSS on their site and I manage to inject some google adds and kind of
> spread around the vector on a couple of bookmarking sites, I can make
> tones of money. Think about it.
>
>  a) CNN is a very important site.
>  b) Add Clicks will cost more.
>  c) Social bookmarking is a way of life (look at DIGG)
>  d) Social bookmarking sites can be spammed (research OnlyWire)
>
> You have all the components of a successful attack. What about forging
> stories? Or performing Black PR? Or maybe even Black SEO? The limit is
> only your imagination. Unfortunately, some people lack the imagination
> so others have to show them the way.


Everything you listed is related (loosely) to phishing, scamming,fraud, etc
not to anything technical or groundbreaking.  While things like hijacking
adsense may be interesting ( which they are ), they do not require technical
feats to accomplish. its simple techniques which any script kiddie can
accomplish.



> 5) publishing xss shows your weakness and that you dont have the
>
> publishing XSS makes you look stupid as well publishing a DoS cuz you
> haven't investigated enough to see whether and how your findings can
> be exploited.


we agree!!



> reepex, I am sorry but all your statements are groundless. I was
> expecting something more from you, especially after we exchanged a few
> private emails. sometimes, I get the feeling that you actually know
> what you are talking about. you definitely know a few things but
> c'mon, really... give me something juicy...

Yea after reading my original thing i admit it was pretty weak. i hope i
fixed it up here.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/