[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] on xss and its technical merit



comments inlined...

On Nov 4, 2007 9:26 PM, reepex <reepex@xxxxxxxxx> wrote:
> i seemed to reply to nexxus as you were writing your original reply which
> ive since replied to. about this email though...
>
>
> On Nov 4, 2007 3:13 PM, pdp (architect) < pdp.gnucitizen@xxxxxxxxxxxxxx>
> wrote:
> > XSS today is where buffer overflows were 10-15 year ago. Moreover, did
> > you missed when I said that 99% of all sites are vulnerable to XSS.
> > Given the percentage of available XSS vulnerabilities, what chance you
> > think you have finding one? simple math! of course it is easy. It is
> > easy for most of XSS issues. However, those that really matter are not
> > easy at all. DOM based XSS is a debug hell, mainly because every time
> > you want to do something you have to deal with the remote server. This
> > is not very ofline.
>
> yes buffer overflows were everywhere then and yes xss is everywhere now. but
> to say that xss is the buffer overflow of 15 years ago is not a good
> comparison. Even if xss evolves for 15 years, which it may, would the result
> be as damaging as even simple stack based overflows have been? Could you
> have such mass damage worms as overflows have caused? I know there has been
> myspace worms (which you mention), but xss cannot have the same effect as
> overflows to a server.
>

MySpace grew from 20 infected profiles to over 3 million in less then
24 hours. I am not very good at computer virology, but to my
knowledge, this is the fastest spreading worm ever. Today XSS worms
can be a lot more powerful. I wrote a paper on that called "For my
next trick... hacking Web2.0". Check it out if you trust my
professional input.

>
> lets say 10000 servers are running a vuln ftpd and another 10000 are running
> the same open source web app. Which would you rather have the explot for?
> also which would be more practical to attack? assuming you have the same
> system and a good exploit you could get all the 10000 ftpds, while the xss
> on 10000 msg boards would require 10000 users to view the page you attacked.
>

well I will go for the 10000 ftpds in general. However, it really
depends on what I am doing. As I said, these FTPDs may give you access
to the system but probably not access to the data which to me is a lot
more interesting. In this case 10000 XSS sounds a lot more valuable.

>
> xss just does not have the same potentional as overflows do unless browsers
> develop some new technology or extend an old one to let client side
> scripting to have much more control on the system.
>

they don't have the same potentials yet but they can be as nasty as
buffer overflows. as I said, most of the applications people use today
are located on the Web. In this case owning their machine is
pointless. OK, you will be able to install sniffers and keyloggers but
for what? You can simply infect their profile with XSS so every time
they open the application you gain control. Isn't that the same. Hook
the victims on a XSS proxy such as Carnaval and you have a botnet. The
concepts are exactly the same. The only difference is that Web
application are written with Web technologies, where bin applications
are compiled from C, or whatever language you have, sources.

So XSS for Webs is like Buffer Overflows for Bins.

>
> >
> >
> > if you want to do it right, then it is harder to get a successful XSS
> > attack. do you know why? cuz XSS involves a bit of strategy as well.
> > because it is an indirect type of attack. A single XSS attack
> > sometimes may involve several sub XSS each one of which call the next
> > one in an exponential manner. By the time you reach level 5 you head
> > is so screwed up that you need to start all over again because you
> > code breaks on 50 places. JavaScript in particular is not an easy
> > language. You may think that you know it but you don't know 90% of it.
> > When it comes to scoping you get into a mess of things. Have you ever
> > done XSS on GMail. Try it! See how far you will go. Unless you have
> > some solid understanding on AJAX debuging and some nifty tools that
> > can put back Google's mess into order, you have no chance. Today
> > software hackers relay on tools such as IDA Pro or Soft Ice, which is
> > discontinue but still. Check this out there are not tools like that
> > for XSS and in particular AJAX, therefore I have to start from zero.
> > Where is my JavaScript deobfiscator? I don't have one... I have to
> > write it myself. Where is my debugger. I am stuck with Firebug for
> > Firefox... Great! How about dynamic tracing, tracking, stepping and
> > all other things on a complete BlackBox application that you can only
> > see the incoming and outgoing requests. At least when you have a
> > binary you know what it is. You can do it offline and you have all of
> > the parts.
> >
> > XSS can be very complicated. Don't be fulled by what people post on FD.
> >
>
>
> the problem is that if you are going to xss 5 times deep why cant you just
> find a client side browser bug?  you are researching how to basically steal
> credentials/force requests/steal accounts when one browser or client side
> bug would make all of that unnecesary. People like the ones i mention in the
> other email will put this much time into xss because they are incapable
> doing the client side bugs because they require much more skill that he ppl
> simply do not have.
>

I agree. Client side bugs require a lot more skills but they cover the
same are of expertise as XSS. For example, chrome escalation bugs are
nothing more but XSS for the browser. Check out my research on the
Firebug vuln or the Apple QuickTime QTL exploit for a prove.

There are XSS script kiddies as well Buffer Overflow script kiddies.
Just because you can find XSS does not mean that you've done something
amazing and extraordinary. It takes skills and a lot of effort to make
something out of it. But as I said before, open your mind. There are
endless potentials when it comes to XSS.

BTW, it does look like an achievement when you find a XSS inside an
application that 1000 more people play with (look for similar bugs) on
a daily basis. XSS in some small apps are stupid. XSS on the default
Google Search Interface is as valuable as remotely exploitable buffer
overflow for Linux 2.6.x kernels (distribution independent).

-- 
pdp (architect) | petko d. petkov
http://www.gnucitizen.org

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/