lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <003d01c2c331$800091d0$6601a8c0@rms2>
From: rms at computerbytesman.com (Richard M. Smith)
Subject: Re: New Web Vulnerability - Cross-Site Tracing

Steven,

Do you know of any cases of cross-site scripting being used in the real
world?  I looked around last fall some and couldn't find any examples
being reported.

XSS errors are real easy to make, so it is not surprising they are the
2nd most frequently reported vulnerability.

Richard

-----Original Message-----
From: full-disclosure-admin@...ts.netsys.com
[mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of Steven M.
Christey
Sent: Thursday, January 23, 2003 5:18 PM
To: bugtraq@...urityfocus.com; webappsec@...urityfocus.com;
vulnwatch@...nwatch.org; full-disclosure@...ts.netsys.com
Subject: [Full-Disclosure] Re: New Web Vulnerability - Cross-Site
Tracing



>The XSS plague?  The only XSS plague I know of is on Bugtraq and other
>disclosure mailing lists.  Is anyone else sick of seeing posts about
>XSS problems in PHP applications that runs on a total of five sites?

XSS (including "HTML injection" for those who make such distinctions)
was the 2nd most frequently reported vulnerability last year, behind
buffer overflows, based on CVE statistics.  Many people still seem to
think XSS is just about cookie theft.  While there may not be many
publicly reported exploits of XSS issues, or of web client
vulnerabilities in general, it seems likely that applications will
become a more attractive target to hackers as it gets more difficult
to break into servers.

The fact that XSS frequently shows up in obscure applications is an
indicator of how programmers are poorly trained with respect to this
type of issue.  (I know the state of things is bad in general, but
more programmers probably know about buffer overflows than XSS).
Personally, I'm glad to see the contributions made by up-and-coming
vulnerability auditors who get their start by auditing easier targets.
They help to demonstrate how widespread the problems are while
educating the affected developers in the process, who hopefully will
not make the same mistakes again.

> Code Red was a plague.  Melissa was a plague.

Agreed; however, XSS worms have been theorized (see [1] for one
variant), and widely deployed XSS-vulnerable applications like
bulletin boards could be an unfortunate breeding ground.

- Steve

[1]
http://online.securityfocus.com/archive/107/302027/2002-11-29/2002-12-05
/0
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ