lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <49345.88.161.185.174.1180519210.squirrel@www.hebergement-securise.com>
Date: Wed, 30 May 2007 12:00:10 +0200 (CEST)
From: security@...ed.com
To: "pdp (architect)" <pdp.gnucitizen@...glemail.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: The Next Super JavaScript Malware - the web
 has crashed

I agree, well you already explained this problem some weeks ago and i got
a bit upset thinking about it, as seeing bad guys using our site is the
last thing i'd like to see. But you're right on this point. I think that
your explanation could apply for other kind of vulnerabilities with other
web sites (xss but also sql injections/file inclusion with
secunia/securityfocus advisories for example, probably a bit more
difficult to parse the content).

> The reason, attacker will go for XSSED.com instead of providing their
> own database is that XSSED has bigger audience and the chances for
> someone contributing a new vector are higher. Web2.0 is all about
> segmenting services in small independent but very useful blocks. So,
> why bother create a new database when you can use whatever is already
> available online. IMHO, malware code that makes use of various
> databases online can impact the Web to an extend beyond our
> imagination.
>
> For sure you can shut down the service at any given time but that
> won't make any difference at all. I use XSSED.com as an example,
> because it is the biggest database available today. If you shut down
> the service, it wont take long for attackers to find another database
> and reconfigure the infrastructure to support it as well. In fact,
> attackers can submit XSS vectors to Google Base.
>
> On 5/30/07, security@...ed.com <security@...ed.com> wrote:
>> Dear petko d. petkov,
>> I don't know if it was your intention, but you're giving a bad name to
>> xssed.com, which goal is to organize the public XSS vulnerabilities,
>> make
>> statistics, and first of all to spread education about XSS
>> vulnerabilities. While the scenario you describe is somehow possible, it
>> relies on the availability of our web site, and we'd be able to stop it
>> quickly. Anybody would be able to build such list of XSS list without
>> the
>> need of our site, and with their own discoveries. I wanted to clarify
>> it.
>> Anyway i think that everybody here on the list knows the dangers and
>> advantages of full disclosure..
>>
>> Kevin
>>
>> > http://www.gnucitizen.org/blog/the-next-super-worm
>> >
>> > In this article I explain a technique that can be used by malicious
>> > minds to build the next generation of JavaScript based malware. The
>> > post is for education purposes and I welcome everyone who has ideas
>> > how to stop these types of attacks to do so by sending an email or
>> > posting a comment. We do really need to start thinking about how to
>> > fight back and start developing strategies that can apply.
>> >
>> > cheers
>> >
>> > --
>> > pdp (architect) | petko d. petkov
>> > http://www.gnucitizen.org
>> >
>> > _______________________________________________
>> > Full-Disclosure - We believe in it.
>> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> > Hosted and sponsored by Secunia - http://secunia.com/
>> >
>>
>>
>>
>
>
> --
> pdp (architect) | petko d. petkov
> http://www.gnucitizen.org
>


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ