[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] on xss and its technical merit



thanks reepex for starting the discussion. it will be really great if
we can get more people involved into this. it seams that there is a
lot of confusion on the merits of XSS. I hope that we can answer all
of your questions once and for all.

1) XSS isnt techincal no matter how its used

XSS can be as technical as it can gets. It can be very technical or
not technical at all. Under the term XSS we have variations of
technologies and techniques in a similar way when compared to
software(bin) (buffer overflows) hacking. Therefore, just injecting
meta characters inside a page, does not mean anything.... as well as
when injecting data into a buffer - it does not mean anything at all.
What is more interesting, is how you use the vector. Keep in mind that
when dealing with XSS, we have pretty much the same obstacles as with
buffer overflows - we are limited by size and allowed characters.
Also, as buffer overflows and other attacks, which are more or less
related to them, attackers need to take into consideration the
execution flow and as such make the attack stealthier.

2) people who use xss on pentests/real hacking/anything but phishing
are lame and only use it because they cannot write real exploits
(non-web) or couldnt find any other web bugs (sql injection, cmd
exec,file include, whatever)

We leave in different times. The Web has become the only tool we need
and as such the browser is the ultimate platform. XSS is bar far the
only way to run untrusted code within the origins of a trusted domain
without having a browser vulnerability on first place. SQL Injection
and file inclusion attacks still exists, I deal with them on a daily
basis, but the attack surface is largely mitigated by various types of
frameworks which power most of the modern applications. However, why
do you need SQL Injection when you can perform the needed action on
behalf of the user by using XSS? It is safer and a lot stealthier. If
you want to change someones details or want to get some data out, XSS
is completely valid type of attack.

the people I've seen who use XSS today, have a vast background on
traditional attack techniques. though, their number is very small
mainly because the topic hasn't reached the level of maturity as other
topics already have. I don't want to mention names here mainly because
it s very rude but I welcome all of you to join the conversation.

3) XSS does not have a place on this list or any other security list
and i remember when the idea of making a seperate bugtraq for xss was
proposed and i still think it should be done.

FD is a general security list. XSS is a security discipline.
Therefore, XSS should be present on FD as well as other security
topics should be present too. However, if someone is serious about
XSS, there are plenty of other places you can attend. Moreover,
nowadays, posting to FD is pointless. The list is out of control and I
as many others, find it rather lame and not worth the effort. If you
want to learn something, start reading blogs.

4) if you go into a pentest/audit and all you get out is xss then its
a failed pentest and the customer should get a refund.

Not true. If you don't know, XSS is a top priority today. It is
present on almost all websites/application. I am not sure who you are
working for and whether you are doing any pentesting but I can tell
you something: people are interested in XSS and they are afraid of it.
I must say that there is a huge gap of knowledge and understandings
that needs to be filled but the situation is getting better with every
single day. Today, companies are interested in Web2.0. They are
interested of the impact this technology will have on their
organization. There are numerous of things corporate people worry
about when it comes to it. XSS is one of them.

I used to rate XSS as low sometimes as medium risk two years ago.
Today, if they are unauthenticated, I rate them as HIGH. Why? Open
your eyes. XSS is not only about getting the victim running some code.
There are a number of things you can do. Do you know that if CNN has
XSS on their site and I manage to inject some google adds and kind of
spread around the vector on a couple of bookmarking sites, I can make
tones of money. Think about it.

  a) CNN is a very important site.
  b) Add Clicks will cost more.
  c) Social bookmarking is a way of life (look at DIGG)
  d) Social bookmarking sites can be spammed (research OnlyWire)

You have all the components of a successful attack. What about forging
stories? Or performing Black PR? Or maybe even Black SEO? The limit is
only your imagination. Unfortunately, some people lack the imagination
so others have to show them the way.

XSS has more potential then any other type of vulnerability available
today. This is due to the size of the Web. When you start putting all
the things into prospective you will see what I am talking about. For
all of you, who think that XSS is a crap, well you are simply missing
the train and the great ride that comes with it. Good luck!

5) publishing xss shows your weakness and that you dont have the
ability to find actual bugs ( b/c xss isnt a vuln its crap )

publishing XSS makes you look stupid as well publishing a DoS cuz you
haven't investigated enough to see whether and how your findings can
be exploited. moreover, publishing XSS is not ethical. it is wrong and
people should stop doing it. or at least stop bragging about it.
However, just because you found interesting XSS vector, it does no
mean that you are stupid or an idiot. there are some very clever XSS
attacks and clever people that stay behind them. again, I don't want
to involve these people into the discussion against their will, so I
will contact them personally and ask whether they would like to be
mentioned.

reepex, I am sorry but all your statements are groundless. I was
expecting something more from you, especially after we exchanged a few
private emails. sometimes, I get the feeling that you actually know
what you are talking about. you definitely know a few things but
c'mon, really... give me something juicy...

cheers,
pdp

P.S. I am sorry for the unconvenionece.. this message has to me
approved first. I am not a FD member and the list management interface
is unresponsive at the moment.

On Nov 4, 2007 7:26 PM, reepex <reepex@xxxxxxxxx> wrote:
> Pdp architect and I have been emailing back and forth about whether xss has
> a place in fd, bugtraq, or the security research area at all.  He decided
> that we should start a discussion about in on here and gets peoples
> unmoderated opinion.  This discussion should not concern whether its
> important due to stealing bank info, paypal, whatever it should only stick
> to xss as a pure research area.  Or as pdp described it:
>
> "we are talking about whether XSS is as technical as other security
> disciplines. We are also talking about whether it should have a deserved an
> recognized place among FD readers and contributers. however, the topic wont
> cover only whether you can detect or inject  XSS, this is lame. it will
> cover the whole 9 yards... pretty much all the topics covered inside the XSS
> book."
>
> My ideas on the topic are
>
> 1) XSS isnt techincal no matter how its used
> 2) people who use xss on pentests/real hacking/anything but phishing are
> lame and only use it because they cannot write real exploits (non-web) or
> couldnt find any other web bugs (sql injection, cmd exec,file include,
> whatever)
> 3) XSS does not have a place on this list or any other security list and i
> remember when the idea of making a seperate bugtraq for xss was proposed and
> i still think it should be done.
> 4) if you go into a pentest/audit and all you get out is xss then its a
> failed pentest and the customer should get a refund.
> 5) publishing xss shows your weakness and that you dont have the ability to
> find actual bugs ( b/c xss isnt a vuln its crap )
>
> i think pdp is going to respond first. should be fun ;)
>



-- 
pdp (architect) | petko d. petkov
http://www.gnucitizen.org

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/