Penetration Testing mailing list archives

Re: Exploiting XSS

From: "Paul Melson" <pmelson () gmail com>
Date: Sat, 6 Dec 2008 08:07:24 -0500

On Fri, Dec 5, 2008 at 7:33 PM, Adriel T. Desautels
<ad_lists () netragard com> wrote:

[...] I do not respect people who offer protective
security services when they don't know what they are doing.
That in my opinion is nearly criminal because you are giving people a false sense of
security. What are you going to say when they get hacked because you missed
something absolutely obvious?


First of all, I'm not jumping in to defend the guy that couldn't
Google his way to a PoC for the XSS vuln he found.  At the same time,
your statement is worrisome.  All pen-testers and pen-testing
methodologies miss something eventually.  Normally I'd ramble on about
setting expectations, responsible consulting, yada yada yada, but I
really want to get to...

People who pay security experts to do work should always be getting quality work.


I wholeheartedly disagree.  Yes, I too dislike the fact that there are
total novices working in the security field, many of whom give aspects
of our industry a bad name.  However, this is directly a result of
clients not wanting to pay for expertise.  PCI has done more in the
past year to drive this than anything I've seen before, by making
third-party testing an explicit requirement.  At the end of the day,
companies that hire security services deserve to get what they pay
for, and nothing more.  And so this guy's not really to blame.
Instead, blame his clients, since they don't want to pay market rate
or properly vet their testers.  They just don't want the bank to turn
their VeriFone* off.

And then all of you that complain about novices in your field need to
ask yourselves why they don't know the difference.  What have you,
your company, or any groups/associations you belong to done to help
educate the larger IT marketplace that there's a significant
difference in quality and effectiveness between pen-testers?  If you
don't have an answer for that question, maybe it's time to find one.

PaulM

* http://traceyray.com/images/printpak350_lg.jpg

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------

Current thread:

Exploiting XSS Whitehat (Dec 03)
- RE: Exploiting XSS Baykal, Adnan (CSCIC) (Dec 03)
  - Re: Exploiting XSS Anthony Cicalla (Dec 05)
  - Re: Exploiting XSS NeZa (Dec 05)
  - Re: Exploiting XSS Durga Prasad Adusumalli (Dec 05)
  - Re: Exploiting XSS Danilo Nascimento (Dec 05)
- Re: Exploiting XSS Adriel T. Desautels (Dec 05)
  - Message not available
    - Re: Exploiting XSS Adriel T. Desautels (Dec 05)
    - Re: Exploiting XSS Paul Melson (Dec 07)
    - Re: Exploiting XSS Adriel T. Desautels (Dec 07)
    - Re: Exploiting XSS xsp (Dec 07)
- Re: Exploiting XSS Guy Mizrahi (Dec 05)
- Re: Exploiting XSS Morning Wood (Dec 05)
- Re: Exploiting XSS Ti (Dec 12)
- <Possible follow-ups>
- Re: Exploiting XSS Ulisses Castro (thebug) (Dec 03)
- Re: Exploiting XSS anj (Dec 08)