Full Disclosure mailing list archives
Re: on xss and its technical merit
From: "pdp (architect)" <pdp.gnucitizen () googlemail com>
Date: Mon, 5 Nov 2007 10:59:26 +0000
comments inlined On Nov 4, 2007 8:01 PM, Volker Tanger <vtlists () wyae de> wrote:
Greetings! On Sun, 4 Nov 2007 13:26:17 -0600 reepex <reepex () gmail com> wrote:"we are talking about whether XSS is as technical as other security disciplines. We are also talking about whether it should have a deserved an recognized place among FD readers and contributers.[...]1) XSS isnt techincal no matter how its used[...]3) XSS does not have a place on this list or any other security list and i remember when the idea of making a seperate bugtraq for xss was proposed and i still think it should be done.XSS is a variant on missing or lax input verification. Thus all other forms of input-nonverification like buffer overflows or char(0) injections or the like should be handeled similarily.
agree!
In its simplest version XSS could be used for phishing - which is bad enough for banking or business portals. Depending on the application other elevations might be possible through XSS like session stealing, cmd/sql injects, etc. Especially if such an elevated XSS was detected for a software it definitely would have a place on security mailing lists. But it should be more qualified than just "XSS found on ....". Just running a XSS scanner is lame - whereas finding out all consequences and possible attack vectors and maybe even posting a patch might be a worthwile posting.
XSS has been already detect in software... AOL Instant Messenger was vulnerable to XSS not that long time ago. The default screen where you type all your text is nothing more but the IE web browser. Google GTalk and Skype also use the IE browser. The AOL IM was vulnerable to an attack where remote users can send a specially crafted message which will render within the context of the remote IE instance. IE within AOL runs with full privalages, i.e there is no sandbox. This means that you can easily start running WScript (WSH) scripts. We know what that leads to, do we? This is a variation of XSS that effects client-side technologies. This bug could have lead to one of the biggest worm outbreaks ever seen. No user interaction was required in order to launch the attack!
Bye Volker -- Volker Tanger http://www.wyae.de/volker.tanger/ -------------------------------------------------- vtlists () wyae de PGP Fingerprint 378A 7DA7 4F20 C2F3 5BCC 8340 7424 6122 BB83 B8CB _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
-- pdp (architect) | petko d. petkov http://www.gnucitizen.org _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- on xss and its technical merit reepex (Nov 04)
- Re: on xss and its technical merit Volker Tanger (Nov 04)
- Re: on xss and its technical merit pdp (architect) (Nov 05)
- Message not available
- Re: on xss and its technical merit reepex (Nov 04)
- Re: on xss and its technical merit pdp (architect) (Nov 04)
- Re: on xss and its technical merit reepex (Nov 04)
- Re: on xss and its technical merit Dude VanWinkle (Nov 04)
- Re: on xss and its technical merit pdp (architect) (Nov 04)
- Re: on xss and its technical merit reepex (Nov 04)
- Re: on xss and its technical merit pdp (architect) (Nov 04)
- Re: on xss and its technical merit reepex (Nov 04)
- Re: on xss and its technical merit pdp (architect) (Nov 05)
- Re: on xss and its technical merit reepex (Nov 04)
- Re: on xss and its technical merit Volker Tanger (Nov 04)