From: xss-is-lame at hushmail.com (xss-is-lame@...hmail.com)
Subject: Re: New Web Vulnerability - Cross-Site Tracing

-----BEGIN PGP SIGNED MESSAGE-----

I found your email quite remarkable.  In short, I do not think you can adequately distinguish between theory, prediction, and practice.

> XSS (including "HTML injection" for those who make such distinctions)
> was the 2nd most frequently reported vulnerability last year, behind
> buffer overflows, based on CVE statistics.

This is a pretty meaningless statistic unless you can link it, through association by cause, to actual exploitation.  The fact that you acknowledge that XSS is not being widely exploited pretty much proves this worthless.  XSS is the 2nd most reported type of vulnerability, yet it is rarely exploited.

> While there may not be many
> publicly reported exploits of XSS issues, or of web client
> vulnerabilities in general, it seems likely that applications will
> become a more attractive target to hackers as it gets more difficult
> to break into servers.

"It seems likely", eh?  So in other words, there is no widespread abuse of XSS problems.  The word "plague" has an extremely strong negative conontation.  Consider a biblical analogy.

I would also like evidence supporting your claim that servers are becoming more difficult to break into.  For the last few years, the trend is the opposite.  The widespread adoption of web technologies has *dramatically* lowered the bar in terms of difficulty.  Obtaining a detailed knowledge and understanding of C/C++, TCP/IP and related protocols, assembly and OS internals (not to mention how to apply those concepts in a manner that will produce exploits) is challenging, even with papers and books on those concepts are available.  On the other hand, SQL injection is easy.  Unicode is easy.  IISHACK.EXE is mind-blowingly easy.  Reading _Hacking Exposed_ is easy.  Getting a crack for ISS Scanner is easy.  Things are getting better for hackers, not worse.

Combine this with a growing number of people connected to the internet (a signifigant number of whom will become interested in hacking), an increasing number of total publicly reported *real* vulnerabilities, the introduction of new technologies that are bound to have holes in them that have already begun to be publicly exposed (web services, wireless), and the simple fact that numerous years worth of password guessing and buffer overflow tutorials, exploits, tools and of course compromises have not made programmers and administrors *at large* signifigantly more effective in regard to issues of security.  The prediction that breaking into systems is going to be more difficult is absurd.  Remember that most hackers are opportunists.  If your server is locked down, they'll go find one that isn't.  And believe me, there will be more and more of those.  Look at what wireless has done.  No more acoustic couplers, PBX hacking or server bouncing.  Wireless LAN has made anonymous hac
 king (and getting inside firewalls) trvial.

> The fact that XSS frequently shows up in obscure applications is an
> indicator of how programmers are poorly trained with respect to this
> type of issue.  (I know the state of things is bad in general, but
> more programmers probably know about buffer overflows than XSS).

Well that's great, Steve.  Bottom line here: most programmers still suck when it comes to security.  But let's look at buffer overflows, which I'm sure you'll admit are nowhere near in the ballpark of being adequately protected against by most programmers.  So let's say everyone picks up .NET or Java.  No more buffer overflows.  (We'll leave "virtual machine overflow" theories out of this discussion.)  There will be new attack paradigms.  SQL injection is "new".  XXE is "new".  Next week there may be something else "new".  There will be plenty of new ways to attack systems that anyone who wants to can find out about.  And those people are generally hackers, not programmers.

I'm sure there are arguments to be made for programmers getting better in terms of security.  There are now secure programming books, guides, mailing lists, etc. so that those who want to learn how to code in a secure fashion can do so.  These make programmers be *able* to get better at programming securely, but it doesn't inherently make it so.  In any case, if you were to take the growth rate of secure programmers relative to the growth rate of programmers in general, things don't look good.  (Read: things are not improving) Throw in the growth of hackers, who are much more motivated to learn about security than programmers are, and things look worse.  Throw in all the other factors I listed above, and things terrible.  You can try to dampen this by saying things like "the number of security professionals is growing" or "the amount of money being spent on security is growing", but the truth is that none of those facts make the equation balance out to a situation where the i
 nternet at large is likely to be more secure.  Most "security professionals" are CISSP-types (the MCSEs of the security world) and buying RealSecure isn't even going to stop SQL injection.  Bottom line: It's getting easier to learn how to secure systems, but that doesn't mean that things are actually getting more secure.

> Personally, I'm glad to see the contributions made by up-and-coming
> vulnerability auditors who get their start by auditing easier targets.
> They help to demonstrate how widespread the problems are while
> educating the affected developers in the process, who hopefully will
> not make the same mistakes again.

This actually made me laugh.  Describing the people that post these XSS issues as "up-and-coming vulnerability auditors" is humorous in one sense, and depressing in another.  You give these kids waaay too much credit.  Allow me to explain.  I'm no psychologist, but I think that the people that find these XSS bugs are essentially script kiddies (even if they're "whitehats", there are plenty of "whitehat" script kiddies out there) who are trying to convince themselves that they're real hackers.  In their eyes, getting a post on Bugtraq makes it so.  In a perfect world, it would be true: BugTraq would only contain posts from qualified people with real issues to share.  Finding XSS bugs is trivial.  Much harder than, say, developing an exploit for a chunked encoding issue.  So like most people in this world, they take the path of least resistance: "The easiest way to get onto BugTraq is to post XSS issues."  If these people were actually motivated by a real passion for technical 
 learning, they would be too busy learning C, TCP/IP or OS internals to hunt for XSS bugs in MyTrivialPHPApplication.  The depressing part is that these people probably are up-and-coming "security professionals".  And most of them probably won't know much more when they're charging Fortune 500 companies for their code audits than they do know.

> > Code Red was a plague.  Melissa was a plague.
>
> Agreed; however, XSS worms have been theorized (see [1] for one
> variant), and widely deployed XSS-vulnerable applications like
> bulletin boards could be an unfortunate breeding ground.

Theory is theory until proven otherwise.  XSS is not appealing to hackers when there are so many other more direct and interesting ways of compromising systems.  As I've explained, I don't think that is likely to change in the near future.  The truth is that most XSS-aware "blackhats" would rather XSS goatse onto bulletin boards for fun than use them to steal people's credentials.

The bottom line with this whole XSS thing is that it's been blown WAY out of proportion by both security companies and "vulnerability researchers".  XSS has been portrayed as something that is definitely being widely exploited (it's not, if you disagree, I want proof), something that is very dangerous and can directly lead to a server compromise (in most cases, all you can do is impersonate authorized users), and something that is very easy to do (not always so, finding users of a particular system and then getting them the XSS attack can be quite challenging).  The Whitehat paper, press release and article promoted these myths inexcusably and added hype on top of that when all that was there was yet another way to mess with people using ActiveX/Flash/etc.  Like Georgi Guninski said, if you want to hack with that stuff, just download whatever you want off of their hard drive.  Why XSS?

Please read what I've written here and consider it seriously.  Hopefully it will change your mind about some things.  And remember that this is all a matter of record now.  Whether or not your predictions occur *will* reflect on your professional reputation.  (Yes, I'm aware that I'm cheating by hiding behind a Hushmail account, but you'll probably find out who I am sometime before we know how this XSS thing turns out.)

Feedback, positive or negative, is welcome.


X-i-L
xss-is-lame@...hmail.com


While we're discussing XSS, does anyone remember the first win2k server on the net?  Microsoft set up a test site for it called www.windows2000test.com or something.  There was a guestbook on it.  Some clever fellow XSSed (or HTML injected, if you prefer) a refresh to www.freebsd.org into.  It's one of the few XSS problems that actually "affected" lots of people, and it's funny too, which makes it a nice way to end this otherwise negative and pessimistic rant.
-----BEGIN PGP SIGNATURE-----
Version: Hush 2.2 (Java)
Note: This signature can be verified at https://www.hushtools.com/verify

wmAEARECACAFAj4vZhQZHHhzcy1pcy1sYW1lQGh1c2htYWlsLmNvbQAKCRDs/5lboNFb
hnPaAJ9i+f5n3ghrUoKsftalEd6cMSLE/QCeK4MWJCGzOw245dIeGfrTSbAuKtg=
=l4I4
-----END PGP SIGNATURE-----




Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2 

Big $$$ to be made with the HushMail Affiliate Program: 
https://www.hushmail.com/about.php?subloc=affiliate&l=427

Powered by blists - more mailing lists