| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <200301240046.TAA03667@linus.mitre.org> From: coley at linus.mitre.org (Steven M. Christey) Subject: Re: New Web Vulnerability - Cross-Site Tracing "Richard M. Smith" <rms@...puterbytesman.com> asked: >Do you know of any cases of cross-site scripting being used in the >real world? I have observed unsuccessful cross-site scripting attacks on custom programs of a particular web server, but they are rarely performed. >I looked around last fall some and couldn't find any examples being >reported. I remember, though many enterprises are quite hush-hush about the details of security incidents. Maybe CERT/CC has incident data that it could summarize? >XSS errors are real easy to make, so it is not surprising they are the >2nd most frequently reported vulnerability. Agreed. Unlike bugs like buffer overflows, format strings, SQL injection, and directory traversal, nearly every single input is suspect, resulting in more attack vectors. Think of how many inputs are echoed back to a web page, for example, versus how many inputs are used to construct filenames, or format log messages. Also, "XSS cleansing" can be difficult if certain inputs need to be fairly free-form. XSS issues can be easy to find, which is probably also a factor, though it also demonstrates the lack of adequate testing on the part of the developer. - Steve
Powered by blists - more mailing lists