lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Sun, 23 Jul 2006 18:52:49 +0000 From: n3td3v <xploitable@...il.com> To: full-disclosure@...ts.grok.org.uk Subject: Re: To XSS or not? On 7/23/06, Gadi Evron <ge@...uxbox.org> wrote: > Today, a serious cookie-stealing XSS in paypal was reported. Enough said. Although I can tell you what's going on here. XSS is suffering an identity crisis and a public relations disaster. There is a lack of high profile hacks with XSS now. We had the Myspace worm, although that was really a harmless proof of concept incident and no harm really came of it. What XSS really needs is a major incident to bring it back into the credibility ratings. I don't think its the vulnerability class, more the vendors attached. The bigger the vendor the better, the bigger the security incident the better. cross site scripting has the attributes to carry out a 'shock and awe' attack, although theres a lack of people out there willing to do it. If all the unpatched XSS'ing vulnerabilities were exploited all at the same time in an internet wide coordinated attack, then that would make people spill their drinks. The core issue here though is, input validation flaws are too easy for programmers to make.... Greater awareness of input validation pratices is needed amoung web application developers, then the vulnerabilities reported would start to dip. 'HOW NOT TO CREATE INPUT VALIDATION FLAWS IN YOUR WEB APPLICATIONS' is needed. I think it says more about vendors, than it says about the 'kiddies' who report them. After all, who is lamer, the kiddies finding the bugs or the multi billion dollar corporations who don't take input validation seriously. There should be stiff penalties within corporations. If programmers were told your dick would be chopped off if you let a product go live without penetration testing it first with an automated XSS auditing tool, then you can bet the XSS flaws would go away tomorrow. Ok, maybe just cut their pay for that month, not their dicks off, but you get the idea. The issue here isn't the kiddies, its corporations allowing the flaws to happen, and not making corporate dev teams get into trouble for them. What happens to developers within corporations when serious flaws are found? The developers don't get sacked, flaws are just treated as 'just something that happens' and nothing bad happens to individuals. The developer shrugs his shoulders and carries on coding. Its not mailing lists who should be taking cross site scripting seriously, its the corporate users sitting in their office cubes who don't care about cross site scripting thats causing the most damage to the reputation of cross site scripting as a legitimate vector for blackhat script kid hackers to use to mount attacks. I say public stonings to developer teams for every cross site scripting reported is a reasonable punishment to me. But seriously, laws are needed to make it more illegal for corporations to shurg off cross site scripting being left unpatched. And laws to make sure the invidual programmer gets fined as well as the corporation as a whole. That way there would be _no_ cross site scripting vulnerabilities left unpatched and mailing lists would not be flooded with them. Money is the only language corporations understand, so if they thought Google, Yahoo, Paypal knew they were going to be fined, the landscape would be different, and corporations would have no choice but to take all reasonable steps to prevent input validation flaws in their software from being a possibility for hackers in the first place. You must go back to why these flaws are present in software to begin with, so really tackle the real issue of whats going on here, and the finger doesn't point towards the script kids and (or) the hackers, the buck stops at the door step of the vendor. And these are the people (the vendors) who should face large fines in a court of law. It's time to get tough, its time for a major crackdown on vendor responsbility and being held to account criminally. Forget all these hacker crack downs and raiding folks homes at 4am and taking away their computers for analysis, thats not solving anything in the security industry. The crackdowns need to come at the corporate level, and in extreme cases security officers and executives of corporations should be threatend with fines. It is the corporations who should be the ones getting into trouble, not hackers and script kids. -End of rant, but if you strip down some of what i said, you'll see its the only way for the security industry to progress and really tackle the fundamental reasons why its so easy to find cross site scripting now a days, and i don't think cheat sheets and the wider exposure of x s s and automated detection tools are to blame. Its the vendors! Threaten them with heavy fines, problem 100% solved. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists