[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] on xss and its technical merit

To: "Joao Inacio" <jcinacio@xxxxxxxxx>
Subject: Re: [Full-disclosure] on xss and its technical merit
From: "Fredrick Diggle" <fdiggle@xxxxxxxxx>
Date: Wed, 12 Dec 2007 13:12:26 -0600

"All of the retards on the list will no doubt ask me for a secure session
management schema  but I am a firm believer that sharing  is communism so
screw you."

Did I call that or what :D

Yes you are implementing it badly. to establish session you no doubt require
authentication based on some known pieces of information (username,
password, etc). If you allow someone to establish a session or establish
themselves as part of an existing session based solely on some piece of
information (their session id) then you should not be storing that piece of
information in a freaking cookie in plain text. Would you store your user's
password in there? Yes its a vulnerability! and I repeat, I am not gonna
lecture you on how to implement it correctly. Go read a book sir.

damn communists.

YAY!

On Dec 12, 2007 12:47 PM, Joao Inacio <jcinacio@xxxxxxxxx> wrote:

> On Dec 12, 2007 6:21 PM, Fredrick Diggle <fdiggle@xxxxxxxxx> wrote:
> > What no one seems to realize is that XSS by its very nature is not a
> > vulnerability. It is a perfectly valid mechanism to aid in exploitation
> but
> > can anyone cite me an example where xss in and of itself accomplishes
> > anything? I can think of pretty much 3 examples of XSS (granted without
> > giving it much thought because lets face it it isn't worth much thought)
> >
> > 1. you are taking something from a user which is accessible from the
> > scripting language context of their browser.
> >   In this case the vulnerability is not XSS the vulnerability is either
> that
> > you (or the web browser) are storing something valuable in an insecure
> way.
> > The most obvious example of this is something like session cookies which
> if
> > your auth/session management is implemented in a secure way won't matter
> a
> > bit. It follows that the vulnerability is not XSS but instead that some
> > developer stored something valuable in a stupid way. All of the retards
> on
> > the list will no doubt ask me for a secure session management schema
>  but I
> > am a firm believer that sharing  is communism so screw you.
> >
>
> Sorry, but i can't see how having access to session cookies is
> unimportant.
> Even if nothing valuable is stored by the session management, there is
> one key factor: session cookies will grant you access to a user's
> session, unless other checks are in place (like the user's IP
> address).
> Take for example gmail - login, copy it's cookies to another browser
> and then access it from that browser - how is gmail's session
> management flawed?
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

References:
- Re: [Full-disclosure] on xss and its technical merit
  - From: Fredrick Diggle
- Re: [Full-disclosure] on xss and its technical merit
  - From: Joao Inacio

Prev by Date: Re: [Full-disclosure] on xss and its technical merit
Next by Date: Re: [Full-disclosure] on xss and its technical merit
Previous by thread: Re: [Full-disclosure] on xss and its technical merit
Next by thread: Re: [Full-disclosure] on xss and its technical merit
Index(es):
- Date
- Thread