lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <6905b1570711050259k7f3e5f03k12854f89844f41ee@mail.gmail.com>
Date: Mon, 5 Nov 2007 10:59:26 +0000
From: "pdp (architect)" <pdp.gnucitizen@...glemail.com>
To: "Volker Tanger" <vtlists@...e.de>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: on xss and its technical merit

comments inlined

On Nov 4, 2007 8:01 PM, Volker Tanger <vtlists@...e.de> wrote:
> Greetings!
>
> On Sun, 4 Nov 2007 13:26:17 -0600
> reepex <reepex@...il.com> wrote:
> > "we are talking about whether XSS is as technical as other security
> > disciplines. We are also talking about whether it should have a
> > deserved an recognized place among FD readers and contributers.
> [...]
> > 1) XSS isnt techincal no matter how its used
> [...]
> > 3) XSS does not have a place on this list or any other security list
> > and i remember when the idea of making a seperate bugtraq for xss was
> > proposed and i still think it should be done.
>
> XSS is a variant on missing or lax input verification. Thus all other
> forms of input-nonverification like buffer overflows or char(0)
> injections or the like should be handeled similarily.
>

agree!

>
> In its simplest version XSS could be used for phishing - which is bad
> enough for banking or business portals. Depending on the application
> other elevations might be possible through XSS like session stealing,
> cmd/sql injects, etc.
>
> Especially if such an elevated XSS was detected for a software it
> definitely would have a place on security mailing lists. But it should
> be more qualified than just "XSS found on ....". Just running a XSS
> scanner is lame - whereas finding out all consequences and possible
> attack vectors and maybe even posting a patch might be a worthwile
> posting.
>

XSS has been already detect in software... AOL Instant Messenger was
vulnerable to XSS not that long time ago. The default screen where you
type all your text is nothing more but the IE web browser. Google
GTalk and Skype also use the IE browser. The AOL IM was vulnerable to
an attack where remote users can send a specially crafted message
which will render within the context of the remote IE instance. IE
within AOL runs with full privalages, i.e there is no sandbox. This
means that you can easily start running WScript (WSH) scripts. We know
what that leads to, do we? This is a variation of XSS that effects
client-side technologies. This bug could have lead to one of the
biggest worm outbreaks ever seen. No user interaction was required in
order to launch the attack!

>
> Bye
>
> Volker
>
> --
>
> Volker Tanger    http://www.wyae.de/volker.tanger/
> --------------------------------------------------
> vtlists@...e.de                    PGP Fingerprint
> 378A 7DA7 4F20 C2F3 5BCC  8340 7424 6122 BB83 B8CB
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>



-- 
pdp (architect) | petko d. petkov
http://www.gnucitizen.org

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ