lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Wed Dec 21 14:02:35 2005
From: mohit.muthanna at gmail.com (Mohit Muthanna)
Subject: XSS vulnerabilities in Google.com

On 12/21/05, GroundZero Security <fd@....org> wrote:
>
> are we starting to post vulnerabilities in specific websites now rather than
> daemons/clients etc. ?

When it's a website with a user-base as large as what Google has, yes.

When there is a possibility that user accounts can be compromised, yes.

> i mean there are thousands of websites which are vulnerable to xss,sql
> injection or worse because of their
> custom scripts.

Sure, but "google != howardsblog.com". A large part of the population
(including myself) relies on Google's various services for day-to-day
use. I sure as hell would not feel comfortable knowing that I'm using
a service that can potentially leak my information.

If there is a vulnerability, no matter how trivial, the public needs to know.

> in my opinion this should be posted to the website owners if
> you feel like, but its of no real use
> to the security community.

That's quite a blanket statement to make. I'm sure a few people in the
"security community" would like to know that there exists a
vulnerability in a Google service.

> hm another thing i'm wondering about is, is it
> legal to just audit a website without
> asking the owner if its ok ?

No. But a site need not be audited to discover a bug.

> how will he know its not a real attack? ok as
> for xss there cant be much harm done
> to the server itself,

XSS can do a lot of harm. A compromised administrator account is
generally a compromised server. There are some good XSS resources on
the web you can read up on.

The bug that was discovered by the parent poster may not lead to a
server compromise; but that is no reason to discount or underestimate
XSS.

> but what if, for example, you cause a DoS through
> testing certain variables for overflows ?

Then, my friend, you have discovered a bug.

Mohit.


--
Mohit Muthanna [mohit (at) muthanna (uhuh) com]
"There are 10 types of people. Those who understand binary, and those
who don't."

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ