| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 9 Dec 2007 14:19:10 -0600
From: reepex <reepex@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: on xss and its technical merit
after the last email where they asked for a resume i did not feel like
making up a fake resume like i made a fake company so I ignored them... only
3 days later simon sends this email begging me to stay in contact and work
him
I think snosoft but be in serious trouble if they look to merge with
companies and hire employees based on troll posts from FD
On Nov 5, 2007 10:59 AM, Simon Smith <simon@...soft.com> wrote:
> Thought you were interested in contract work?
>
> reepex wrote:
> > you see you are arguing how useful xss can be for an attacker, but the
> > point of this argument is
> >
> > 1) how hard is it find xss in applications
> > 2) how hard it is to successfully exploit the vulnerability
> >
> > compared to other vulnerabilities xss is way down on the scale
> >
> > i also believe this is what pdp wanted to argue as he believes xss is on
> > the same scale as other bugs following 1 and 2
> >
> > On Nov 4, 2007 2:28 PM, < nexus@...yhack.net
> > <mailto:nexus@...yhack.net>> wrote:
> >
> > reepex wrote:
> >> 1) XSS isnt techincal no matter how its used
> > I totally disagree with you.. isn't technical for those who cannot
> > realize how much powerful can be a xss, especially if persistent.
> >
> >> 2) people who use xss on pentests/real hacking/anything but
> > phishing are
> >> lame and only use it because they cannot write real exploits
> > (non-web) or
> >> couldnt find any other web bugs (sql injection, cmd exec,file
> > include,
> >> whatever)
> > Imho the pentesting will move day by day closer to web applications
> > flaws testing, since the web applications are self written by webmasters
> > and more exposed to possible bugs. Concerning sql inj or rfi are not
> > more difficult to be discovered..
> >
> >> 3) XSS does not have a place on this list or any other security
> > list and i
> >> remember when the idea of making a seperate bugtraq for xss was
> > proposed and
> >> i still think it should be done.
> > Dunno about that, even if i agree that all the xss flaws found should
> > not be reported here, they would be too much.
> >
> >> 4) if you go into a pentest/audit and all you get out is xss then
> > its a
> >> failed pentest and the customer should get a refund.
> > I don't agree with this too for the same reasons as before.
> >
> >> 5) publishing xss shows your weakness and that you dont have the
> > ability to
> >> find actual bugs ( b/c xss isnt a vuln its crap )
> > Imho a xss is a vuln as much as the others, since if used smartly could
> > get quite dangerous.
> >
> > Reading a report from zone-h i read that the most effective hacking
> > cause it's the xss.. i don't know if i shall agree with this, but
> > obviously it should make us think about it.
> >
> > bye
> >
> > /nexus
>
> > ------------------------------------------------------------------------
>
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
>
>
> --
>
> - simon
>
> ----------------------
> http://www.snosoft.com
>
>
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists