lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <Pine.GSO.4.51.0604041057000.16238@faron.mitre.org>
Date: Tue, 4 Apr 2006 11:11:45 -0400 (EDT)
From: "Steven M. Christey" <coley@...us.mitre.org>
To: Javor Ninov <drfrancky@...urax.org>
Cc: bugtraq@...urityfocus.com
Subject: Re: On product vulnerability history and vulnerability complexity



On Tue, 4 Apr 2006, Javor Ninov wrote:

> So you mean that XSS is not trivial and difficult to spot ?
> For today code XSS is unacceptable and speaks very [poorly] for the
> author.


A lot of XSS might be "lame," but some of it is rather interesting and
complex.  Our terminology might not be precise enough to capture this, but
not all XSS is created equal, and that should be accounted for in trying
to measure how well a product has been designed and implemented.

I think it's perfectly understandable if a vendor doesn't realize that
this input:

  <script<

will bypass their regexp that strips out anything between a "<"  and ">",
but it can still be rendered by browsers that automatically treat the
second "<" as if it is the closing ">"

Or this input:

  java
  script:alert('hi')

which, despite having a CRLF right in the middle of a special keyword, can
still be processed.

Or, as was recently discussed in a paper announced to this list, by
whitelisting just "<b>" tags using PHP's strip_tags() function, then this
will work:

  <b onmouseover="badstuff">hello</b>

Or the DOM-based XSS attacks where there are no syntactic clues to the
issue, at least not in the usual places...

If you look at a number of the XSS issues in popular web mail services,
many of them involve non-standard browser behaviors.

- Steve


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ