lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <47601E3B.3090604@rogers.com>
Date: Wed, 12 Dec 2007 12:45:31 -0500
From: Byron Sonne <blsonne@...ers.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: on xss and its technical merit

> Its not a sexy beast that you can blog about

That hasn't stopped some people ;)

I've done some serious thinking about this, and I've come to the
conclusion that hacking at web stuff is innately boring. Maybe it's like
watching bicycling on TV; fun to do but boring as hell to watch or
listen to other people talk about.

Ooooh xss csrf htmlmnopqrstuvwxyz bah! The only thing possibly
interesting about it is the target, what you scam them for, or what you
get access to. The problem is that anything www facing is pretty much in
the realm of the sheep, so of course almost everything is going to be
rotten with holes. You have community colleges pumping out 'web experts'
or dudes who read a redhat+apache+php+mysql+foo howto and now are seen
as gurus.

In terms of a technically interesting challenge, it sounds about as
exciting as picking fights with 10 year olds. Shit man, most of this
stuff is more about fooling people than anything. Yawn. I was bored
tricking or weaseling passwords out of datacentre employees over the
phone 20 years ago. Now I'm supposed to get excited 'cos some retards
are doing it over the web?

> If an app is vuln to XSS chances are the rest of the app
> is crap anyways...

A safe assumption. In fact, if it's on the web, it's a safe assumption
it's crap anyways. Or is that Crap2.0?


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ