lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <200607311943.k6VJhvJ8010512@faron.mitre.org>
Date: Mon, 31 Jul 2006 15:43:57 -0400 (EDT)
From: "Steven M. Christey" <coley@...re.org>
To: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk
Cc: 
Subject: Re: Do world's famous companies take care of
	their security?


>There was discussion last week in the Full-Disclosure about XSS
>vulnerabilities in reply to XSS vulns in PayPal and Gadi Evron
>suggested creation of a separate mailing list for just XSS
>vulnerabilities.

This is definitely a growing gap in our current knowledge.  I don't
think it's being tracked very well, although I thought Jeremiah
Grossman started tracking the more serious issues.

Vulnerability databases (CVE included) historically have NOT recorded
site-specific XSS and other issues like sensitive data disclosure.
The primary reason is that most vuln DBs are focused on issues in
software that a system administrator would be directly responsible
for.  Software services, which is basically what you're talking about
with PayPal, Google, and the like, are not under direct control of the
sysadmin - plus, the vendor merely needs to flip a switch (i.e. patch
the bug) and the problem is instantly fixed for all customers.  The
lines between "site-specific" and "distributable" software are
becoming more blurry however, e.g. with hosted solutions.

Another issue might arise with respect to disclosure, in that if you
publish a site-specific security issue, you're highlighting how to
attack a specific site.  I'm not a lawyer, but as I understand it,
this gets into more dangerous legal waters than disclosure of regular
software.

>XSS bugs are easy to discover and easy to fix, so what's the problem?

This is a common misconception.  The basic XSS issues are easy to
discover and fix, and there are still far too many of them in
software.  That's partially because with XSS, every single
input/output is suspect, and you simply don't get that large of an
attack surface with other vuln types.  Over the years, XSS has
demonstrated a rich set of attack variants, such as the recent 8-bit
XSS bypass discussed by Kurt Huwig
(http://seclists.org/lists/bugtraq/2006/Jun/0549.html)


- Steve

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ