lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Wed, 12 Dec 2007 13:12:26 -0600
From: "Fredrick Diggle" <fdiggle@...il.com>
To: "Joao Inacio" <jcinacio@...il.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: on xss and its technical merit

"All of the retards on the list will no doubt ask me for a secure session
management schema  but I am a firm believer that sharing  is communism so
screw you."

Did I call that or what :D

Yes you are implementing it badly. to establish session you no doubt require
authentication based on some known pieces of information (username,
password, etc). If you allow someone to establish a session or establish
themselves as part of an existing session based solely on some piece of
information (their session id) then you should not be storing that piece of
information in a freaking cookie in plain text. Would you store your user's
password in there? Yes its a vulnerability! and I repeat, I am not gonna
lecture you on how to implement it correctly. Go read a book sir.

damn communists.

YAY!

On Dec 12, 2007 12:47 PM, Joao Inacio <jcinacio@...il.com> wrote:

> On Dec 12, 2007 6:21 PM, Fredrick Diggle <fdiggle@...il.com> wrote:
> > What no one seems to realize is that XSS by its very nature is not a
> > vulnerability. It is a perfectly valid mechanism to aid in exploitation
> but
> > can anyone cite me an example where xss in and of itself accomplishes
> > anything? I can think of pretty much 3 examples of XSS (granted without
> > giving it much thought because lets face it it isn't worth much thought)
> >
> > 1. you are taking something from a user which is accessible from the
> > scripting language context of their browser.
> >   In this case the vulnerability is not XSS the vulnerability is either
> that
> > you (or the web browser) are storing something valuable in an insecure
> way.
> > The most obvious example of this is something like session cookies which
> if
> > your auth/session management is implemented in a secure way won't matter
> a
> > bit. It follows that the vulnerability is not XSS but instead that some
> > developer stored something valuable in a stupid way. All of the retards
> on
> > the list will no doubt ask me for a secure session management schema
>  but I
> > am a firm believer that sharing  is communism so screw you.
> >
>
> Sorry, but i can't see how having access to session cookies is
> unimportant.
> Even if nothing valuable is stored by the session management, there is
> one key factor: session cookies will grant you access to a user's
> session, unless other checks are in place (like the user's IP
> address).
> Take for example gmail - login, copy it's cookies to another browser
> and then access it from that browser - how is gmail's session
> management flawed?
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ