lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <20071104210135.2a41654a.vtlists@wyae.de>
Date: Sun, 4 Nov 2007 21:01:35 +0100
From: Volker Tanger <vtlists@...e.de>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: on xss and its technical merit

Greetings!

On Sun, 4 Nov 2007 13:26:17 -0600
reepex <reepex@...il.com> wrote:
> "we are talking about whether XSS is as technical as other security
> disciplines. We are also talking about whether it should have a
> deserved an recognized place among FD readers and contributers.
[...]
> 1) XSS isnt techincal no matter how its used
[...]
> 3) XSS does not have a place on this list or any other security list
> and i remember when the idea of making a seperate bugtraq for xss was
> proposed and i still think it should be done.

XSS is a variant on missing or lax input verification. Thus all other
forms of input-nonverification like buffer overflows or char(0)
injections or the like should be handeled similarily.

In its simplest version XSS could be used for phishing - which is bad
enough for banking or business portals. Depending on the application
other elevations might be possible through XSS like session stealing,
cmd/sql injects, etc.

Especially if such an elevated XSS was detected for a software it
definitely would have a place on security mailing lists. But it should
be more qualified than just "XSS found on ....". Just running a XSS
scanner is lame - whereas finding out all consequences and possible
attack vectors and maybe even posting a patch might be a worthwile
posting.

Bye

Volker

-- 

Volker Tanger    http://www.wyae.de/volker.tanger/
--------------------------------------------------
vtlists@...e.de                    PGP Fingerprint
378A 7DA7 4F20 C2F3 5BCC  8340 7424 6122 BB83 B8CB

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ