Full Disclosure mailing list archives
Re: on xss and its technical merit
From: "pdp (architect)" <pdp.gnucitizen () googlemail com>
Date: Sun, 4 Nov 2007 20:41:10 +0000
thanks reepex for starting the discussion. it will be really great if we can get more people involved into this. it seams that there is a lot of confusion on the merits of XSS. I hope that we can answer all of your questions once and for all. 1) XSS isnt techincal no matter how its used XSS can be as technical as it can gets. It can be very technical or not technical at all. Under the term XSS we have variations of technologies and techniques in a similar way when compared to software(bin) (buffer overflows) hacking. Therefore, just injecting meta characters inside a page, does not mean anything.... as well as when injecting data into a buffer - it does not mean anything at all. What is more interesting, is how you use the vector. Keep in mind that when dealing with XSS, we have pretty much the same obstacles as with buffer overflows - we are limited by size and allowed characters. Also, as buffer overflows and other attacks, which are more or less related to them, attackers need to take into consideration the execution flow and as such make the attack stealthier. 2) people who use xss on pentests/real hacking/anything but phishing are lame and only use it because they cannot write real exploits (non-web) or couldnt find any other web bugs (sql injection, cmd exec,file include, whatever) We leave in different times. The Web has become the only tool we need and as such the browser is the ultimate platform. XSS is bar far the only way to run untrusted code within the origins of a trusted domain without having a browser vulnerability on first place. SQL Injection and file inclusion attacks still exists, I deal with them on a daily basis, but the attack surface is largely mitigated by various types of frameworks which power most of the modern applications. However, why do you need SQL Injection when you can perform the needed action on behalf of the user by using XSS? It is safer and a lot stealthier. If you want to change someones details or want to get some data out, XSS is completely valid type of attack. the people I've seen who use XSS today, have a vast background on traditional attack techniques. though, their number is very small mainly because the topic hasn't reached the level of maturity as other topics already have. I don't want to mention names here mainly because it s very rude but I welcome all of you to join the conversation. 3) XSS does not have a place on this list or any other security list and i remember when the idea of making a seperate bugtraq for xss was proposed and i still think it should be done. FD is a general security list. XSS is a security discipline. Therefore, XSS should be present on FD as well as other security topics should be present too. However, if someone is serious about XSS, there are plenty of other places you can attend. Moreover, nowadays, posting to FD is pointless. The list is out of control and I as many others, find it rather lame and not worth the effort. If you want to learn something, start reading blogs. 4) if you go into a pentest/audit and all you get out is xss then its a failed pentest and the customer should get a refund. Not true. If you don't know, XSS is a top priority today. It is present on almost all websites/application. I am not sure who you are working for and whether you are doing any pentesting but I can tell you something: people are interested in XSS and they are afraid of it. I must say that there is a huge gap of knowledge and understandings that needs to be filled but the situation is getting better with every single day. Today, companies are interested in Web2.0. They are interested of the impact this technology will have on their organization. There are numerous of things corporate people worry about when it comes to it. XSS is one of them. I used to rate XSS as low sometimes as medium risk two years ago. Today, if they are unauthenticated, I rate them as HIGH. Why? Open your eyes. XSS is not only about getting the victim running some code. There are a number of things you can do. Do you know that if CNN has XSS on their site and I manage to inject some google adds and kind of spread around the vector on a couple of bookmarking sites, I can make tones of money. Think about it. a) CNN is a very important site. b) Add Clicks will cost more. c) Social bookmarking is a way of life (look at DIGG) d) Social bookmarking sites can be spammed (research OnlyWire) You have all the components of a successful attack. What about forging stories? Or performing Black PR? Or maybe even Black SEO? The limit is only your imagination. Unfortunately, some people lack the imagination so others have to show them the way. XSS has more potential then any other type of vulnerability available today. This is due to the size of the Web. When you start putting all the things into prospective you will see what I am talking about. For all of you, who think that XSS is a crap, well you are simply missing the train and the great ride that comes with it. Good luck! 5) publishing xss shows your weakness and that you dont have the ability to find actual bugs ( b/c xss isnt a vuln its crap ) publishing XSS makes you look stupid as well publishing a DoS cuz you haven't investigated enough to see whether and how your findings can be exploited. moreover, publishing XSS is not ethical. it is wrong and people should stop doing it. or at least stop bragging about it. However, just because you found interesting XSS vector, it does no mean that you are stupid or an idiot. there are some very clever XSS attacks and clever people that stay behind them. again, I don't want to involve these people into the discussion against their will, so I will contact them personally and ask whether they would like to be mentioned. reepex, I am sorry but all your statements are groundless. I was expecting something more from you, especially after we exchanged a few private emails. sometimes, I get the feeling that you actually know what you are talking about. you definitely know a few things but c'mon, really... give me something juicy... cheers, pdp P.S. I am sorry for the unconvenionece.. this message has to me approved first. I am not a FD member and the list management interface is unresponsive at the moment. On Nov 4, 2007 7:26 PM, reepex <reepex () gmail com> wrote:
Pdp architect and I have been emailing back and forth about whether xss has a place in fd, bugtraq, or the security research area at all. He decided that we should start a discussion about in on here and gets peoples unmoderated opinion. This discussion should not concern whether its important due to stealing bank info, paypal, whatever it should only stick to xss as a pure research area. Or as pdp described it: "we are talking about whether XSS is as technical as other security disciplines. We are also talking about whether it should have a deserved an recognized place among FD readers and contributers. however, the topic wont cover only whether you can detect or inject XSS, this is lame. it will cover the whole 9 yards... pretty much all the topics covered inside the XSS book." My ideas on the topic are 1) XSS isnt techincal no matter how its used 2) people who use xss on pentests/real hacking/anything but phishing are lame and only use it because they cannot write real exploits (non-web) or couldnt find any other web bugs (sql injection, cmd exec,file include, whatever) 3) XSS does not have a place on this list or any other security list and i remember when the idea of making a seperate bugtraq for xss was proposed and i still think it should be done. 4) if you go into a pentest/audit and all you get out is xss then its a failed pentest and the customer should get a refund. 5) publishing xss shows your weakness and that you dont have the ability to find actual bugs ( b/c xss isnt a vuln its crap ) i think pdp is going to respond first. should be fun ;)
-- pdp (architect) | petko d. petkov http://www.gnucitizen.org _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: on xss and its technical merit, (continued)
- Re: on xss and its technical merit pdp (architect) (Nov 05)
- Message not available
- Re: on xss and its technical merit reepex (Nov 04)
- Re: on xss and its technical merit pdp (architect) (Nov 04)
- Re: on xss and its technical merit reepex (Nov 04)
- Re: on xss and its technical merit Dude VanWinkle (Nov 04)
- Re: on xss and its technical merit pdp (architect) (Nov 04)
- Re: on xss and its technical merit reepex (Nov 04)
- Re: on xss and its technical merit pdp (architect) (Nov 04)
- Re: on xss and its technical merit reepex (Nov 04)
- Re: on xss and its technical merit pdp (architect) (Nov 05)
- Re: on xss and its technical merit reepex (Nov 04)
- Re: on xss and its technical merit pdp (architect) (Nov 04)
- Re: on xss and its technical merit crazy frog crazy frog (Nov 04)
- Re: on xss and its technical merit pdp (architect) (Nov 04)
- Re: on xss and its technical merit reepex (Nov 04)
- Re: on xss and its technical merit pdp (architect) (Nov 05)
- Re: on xss and its technical merit nate . mcfeters (Nov 05)