lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Thu, 13 Dec 2007 10:20:15 -0500
From: Byron Sonne <blsonne@...ers.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: on xss and its technical merit

> Naysayers of XSS want some elegant exciting actions.
> Its not. Its a case of not sanitizing input that allows
> arbitrary code to be executed. Simple things like umm
> secure coding, url scan, mod_security, noscript could
> combat this easily.

That is probably the largest part of what makes it such a boring topic.
The easier an attack is to defend against, probably the less exciting it
is. It's hardly exciting to 'break into' someone's house through an
unlocked door; there's no challenge.

> Its like someone walking past a car and seeing a million
> dollars sitting in the front seat. Thief opens unlocked
> door and takes money. Now a more elegant way would be
> to manipulate the chemical composition of the glass back
> to a gaseous form and reaching through.

Ah, now THAT would be cool :)

> I really dont understand why some in this community are
> so quick to say this is no find, this isnt new, this is
> <insert blah>.

You deal with this kind of crap professionally for a couple years and
then tell me how excited you are to come into work in the morning just
so you can pour over hours and hours of crud to make your customers
happy. It's boring. There's no meat to it. It's rote. It sucks the life
out of your day. I regret ever saying that nothing could be worse than
writing CGI checks.

> I guess it makes them feel intelluctually
> superior to tear down the ideas of others whether they
> deserve it or not. In some cases they do.

That might be part of it, who knows, for myself or maybe others. I'm not
a shrink. But to me it's more about wanting to see the boundaries pushed
 and being exposed to new, exciting stuff.

> Are members of
> this community so starved for their own self worth that
> they strive to squash the ideas of others instinctively?
> Would make for a interesting study.

Would probably just show that there's alot of pubescent teenagers
jockeying for social position.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ