[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] on xss and its technical merit

To: Byron Sonne <blsonne@xxxxxxxxxx>
Subject: Re: [Full-disclosure] on xss and its technical merit
From: "J. Oquendo" <sil@xxxxxxxxxxxxxxx>
Date: Wed, 12 Dec 2007 13:29:21 -0500

Byron Sonne wrote:

> In terms of a technically interesting challenge, it sounds about as
> exciting as picking fights with 10 year olds. Shit man, most of this
> stuff is more about fooling people than anything. Yawn. I was bored
> tricking or weaseling passwords out of datacentre employees over the
> phone 20 years ago. Now I'm supposed to get excited 'cos some retards
> are doing it over the web?

I agree to an extent however I do know some pretty skillful people on
all sorts of levels use xss in conjuction with leveraging a network.

> A safe assumption. In fact, if it's on the web, it's a safe assumption
> it's crap anyways. Or is that Crap2.0?

What's that old adage on "assume". "Forward facing" sites can be
leveraged to disclosure other information. E.g., Write an XSS to run
commands on the system itself for say a week. Eventually you will see
signs of someone logging into said system. Construct an XSS attack to
embed the necessary tools to leverage your way into the backbone. Not
unlikely a difficult thing to do considering you managed to XSS attack
the site in the first place.

What you/we see too often on this and other mailing list is stupidity
a-la "I just XSS and popup up w00t now give me credit!" That is not what
I consider a hack I consider it stupidity. What would have impressed me
would be someone using a curl POST with a proxy, dumping binaries and
having those binaries run with the user privileges of the webserver. One
misconfigured webserver (chown -Rf root:wheel) and its a wrap.

-- 
====================================================
J. Oquendo

SGFA #579 (FW+VPN v4.1)
SGFE #574 (FW+VPN v4.1)

"I hear much of people's calling out to punish the
guilty, but very few are concerned to clear the
innocent." Daniel Defoe

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xF684C42E

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

References:
- Re: [Full-disclosure] on xss and its technical merit
  - From: Jay
- Re: [Full-disclosure] on xss and its technical merit
  - From: Byron Sonne

Prev by Date: [Full-disclosure] iDefense Security Advisory 12.11.07: Microsoft Internet Explorer JavaScript setExpression Heap Corruption Vulnerability
Next by Date: [Full-disclosure] iDefense Security Advisory 12.11.07: Microsoft DirectX 7 and 8 DirectShow Stack Buffer Overflow Vulnerability
Previous by thread: Re: [Full-disclosure] on xss and its technical merit
Next by thread: Re: [Full-disclosure] on xss and its technical merit
Index(es):
- Date
- Thread