lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Sun, 8 Jul 2007 20:35:57 +0100
From: "pdp (architect)" <pdp.gnucitizen@...glemail.com>
To: full-disclosure@...ts.grok.org.uk, "WASC Forum" <websecurity@...appsec.org>,
	owasp-leaders@...ts.owasp.org
Subject: XSSDB Elite (Web2.0 Engineering)

http://www.gnucitizen.org/blog/xssdb-elite
http://www.gnucitizen.org/xssdb

XSSDB is a advanced application that uses the latest Web2.0
Engineering practices in order to create a full features cross-site
scripting database.

I would like to call the new version of XSSDB: XSSDB Elite, since it
is lighter, smaller, better, and a lot more featureful.

XSSDB started as a simple interface to RSnake's Cross-site Scripting
Cheat Sheet, which is still one of the most accurate resources for
Cross-site Scripting attacks up to date. This status however, may
change.

Soon after I published the first version of XSSDB, I realized that we
need to give the power back to the community in order to keep up with
the latest Cross-site scripting attack vectors. At that time RSnake
was the only one that was handling all changes for his cheat sheet and
this is the reason why updates were coming rather slow. There were
(there still are) tones of attack vectors that were not properly
documented. The cheat sheet, although the best, was just not enough.
How do you expect developers to come up with good enough anti-xss
solutions when there is no single entry point to cover the vast topic
of Cross-site scripting Attacks?

There was a problem and no one was around to handle it. I was planning
to integrate a simple database backend into XSSDB based on Wordpress.
However, due to resource limitations, I had to leave the project for
the latter.

Meanwhile, another organization, XSSED.com took the initiative to
collect various Cross-site scripting holes that are found within real
websites. IMHO, the idea was interesting but not very well
implemented. The purpose of XSSED.com should have been to protect the
website owners by providing an early warning system. This is the
reason why I targeted this website in particular in my research on
hacking Web2.0 services/applications (Advanced Web Hacking Revealed),
presented at OWASP, Italy 2007. During the conference, I discussed how
attackers can use Dapper in combination with Yahoo Pipes to
dynamically fetch entries from XSSED.com and exploit the affected
sites. A XSS worm that implements similar functionalities has the
potential to propagate across the entire Web. Obviously, this is quite
dangerous.

After OWASP, I promised to myself to come back and work on XSSDB to
provide the best possible community driven XSS Database service. I was
planning to use all my skills and knowledge in client side hacking to
implement this system. The main goal was to keep the database
decentralized so no one is in charge. This is how XSSDB Elite was
born.

The current version of XSSDB is entirely client-side based (i.e. it is
a mashup). The database is handled by Zoho Creator and anyone who is
willing to become maintainer/moderator is welcome to drop us an email.
At the moment XSSDB allows you to add new XSS exploits and Site
specific exploits. The GNUCITIZEN group is currently working on the
warning system which will be implemented soon. The database is backed
up on a regular basis by several aggregator which include:
Securls.com, Google Reader and Feed Burner. We encourage users to
subscribe to both XSSDB feeds so the community can recover if the
database fail at some point in the future.

So, this is it. XSSDB is one pretty good proof of concept that shows
what can be achieved with minimal efforts and good understanding of
Web2.0 engineering. Drop us an email or leave a comment on post, to
tell us what do you think.

-- 
pdp (architect) | petko d. petkov
http://www.gnucitizen.org

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ