[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.21.0607230927130.1867-100000@linuxbox.org>
Date: Sun, 23 Jul 2006 10:10:14 -0500 (CDT)
From: Gadi Evron <ge@...uxbox.org>
To: bugtraq@...urityfocus.com
Cc: full-disclosure@...ts.grok.org.uk
Subject: To XSS or not?
Okay, so we all like to diss on Cross-site scripting vulnerabilities. They
are indeed vulnerabilities, but there are so many of them that they have
become tiresome, to say the least.
Today, a serious cookie-stealing XSS in paypal was reported. Automatically
it was put down. I will try and address why XSS vulnerabilities are
critical, and yet how they clog our security information channels, and
thus our ability to do our jobs.
Honestly? Kiddies reporting XSS vulns in flying colours of a remote code
execution is annoying to me, but again, these are still
vulnerabilities. They deserve being reported.
I personally believe reporting them one by one to the world is
important. They can cause, for example, if used on a news/commerce web
site, significant losses from phishing or perhaps cause a massive scare,
by a carefully crafted fake news message.
If, as another example, the XSS is in some publicly distributed PHP
application, that indeed has relevance to the rest of the world. No matter
how annoying the volumes of these may be.
More importantly, some XSS vulnerabilities can be used for stealing
cookies and sessions, taking over an Inbox or a purchasing account,
depending on what service the web site offers
(as seen before on.. lycos? hotmail? paypal?).
XSS vulnerabilities should not be looked down-at. Yet.....
All that said, acknowledging XSS for being a real vulnerability does not
mean every XSS is "worth reporting" or even reading. Meaning: kiddies, for
crying out loud, stop reporting every XSS client-side content manipulation
you find in every second-rate online dating service. It has become
comparable to reporting every spam message you get.
Philosophically, "Full disclosure all the way, baby!". In practicality,
who doesn't look down at XSS vulnerabilities these days? They have become
the trait of kiddies.
How about reporting them, but in batches as some researchers have shown
they can do, recently? The impact is larger and they still go public.
Maybe if the volume of reports was lower and more digestible, and the
importance/critically measurement were sane, the serious XSS
vulnerabilities would be indeed taken as serious, with the respect they
deserve.
As long as every 2-bit XSS is being reported in a near-flood of useless
email messages, in most cases they won't be taken very seriously.
Every web site out there likely has an XSS or 10. This is not scalable for
the regular security vulnerabilities information channels the way things
go now. Report the "less important ones", but do so in digest mode, m'Kay?
A few years ago we used to joke about auto-generating PHP vulnerability
reports and send them to bugtraq. Who would be able to tell the
difference? Today, in my opinion, it's become a joke.
The paypal vulnerability reported today as found by securitylab.ru is
critical, as it allows stealing the cookie. All credit naturally belongs
to them, good work guys.
To make a point though, after this was published, a friend of mine looked
back to an XSS he found in passing 2 years ago, and reported to
paypal. Obviously, it is still there and haven't been acted on.
This does not take from their finding, the credit is theirs, but perhaps
if full disclosure was applied 2 years ago (as paypal didn't do much about
it), others who very likely found this vulnerability since would not have
been able to exploit paypal users.
If it was, would it have gotten much attention? Did it today when it was
released in Full Disclosure?
This is what Full disclosure was created for.
Enough with silly XXS vulnerabilities, people. Let's be able to
distinguish what's important and report it accordingly. Then give the due
respect to everything else and still report it, but in a digestible form.
Again, what's not-so-important can still (and should still) be reported,
but please, stop clogging our lines of communication!
Gadi.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists