Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: on xss and its technical merit

From: "pdp (architect)" <pdp.gnucitizen () googlemail com>
Date: Mon, 5 Nov 2007 10:59:26 +0000
comments inlined

On Nov 4, 2007 8:01 PM, Volker Tanger <vtlists () wyae de> wrote:

Greetings!

On Sun, 4 Nov 2007 13:26:17 -0600
reepex <reepex () gmail com> wrote:

"we are talking about whether XSS is as technical as other security
disciplines. We are also talking about whether it should have a
deserved an recognized place among FD readers and contributers.

[...]

1) XSS isnt techincal no matter how its used

[...]

3) XSS does not have a place on this list or any other security list
and i remember when the idea of making a seperate bugtraq for xss was
proposed and i still think it should be done.


XSS is a variant on missing or lax input verification. Thus all other
forms of input-nonverification like buffer overflows or char(0)
injections or the like should be handeled similarily.



agree!



In its simplest version XSS could be used for phishing - which is bad
enough for banking or business portals. Depending on the application
other elevations might be possible through XSS like session stealing,
cmd/sql injects, etc.

Especially if such an elevated XSS was detected for a software it
definitely would have a place on security mailing lists. But it should
be more qualified than just "XSS found on ....". Just running a XSS
scanner is lame - whereas finding out all consequences and possible
attack vectors and maybe even posting a patch might be a worthwile
posting.



XSS has been already detect in software... AOL Instant Messenger was
vulnerable to XSS not that long time ago. The default screen where you
type all your text is nothing more but the IE web browser. Google
GTalk and Skype also use the IE browser. The AOL IM was vulnerable to
an attack where remote users can send a specially crafted message
which will render within the context of the remote IE instance. IE
within AOL runs with full privalages, i.e there is no sandbox. This
means that you can easily start running WScript (WSH) scripts. We know
what that leads to, do we? This is a variation of XSS that effects
client-side technologies. This bug could have lead to one of the
biggest worm outbreaks ever seen. No user interaction was required in
order to launch the attack!



Bye

Volker

--

Volker Tanger    http://www.wyae.de/volker.tanger/
--------------------------------------------------
vtlists () wyae de                    PGP Fingerprint
378A 7DA7 4F20 C2F3 5BCC  8340 7424 6122 BB83 B8CB


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/





-- 
pdp (architect) | petko d. petkov
http://www.gnucitizen.org

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: