Re: [Full-disclosure] on xss and its technical merit

[Byron Sonne <blsonne@xxxxxxxxxx>]

> Its amazing the last 2 posters even have
> to time to read FD.

It's not without it's uses :)

> With all the super important super secret
> projects they must be working.

LOL

> believes XSS and XSRF as viable attack vectors
> The other side thinks its rubbish.

That's a disingenuous distortion. I happen to think they are both viable
attack vectors AND rubbish.

> the folks who are so bored <yawn> with XSS and
> CSRF can post their remarkable works and amaze
> us all.

The second I can think of, or accomplish, something that's both more
interesting than this xsscsrfbbqwtf slop and hasn't been done before, I
will. It is not easy to come up with cool new stuff or "wicked ass
shit". That's kinda my point, and why we see so much of this derivative
crap.

Now obviously there's a ton of folks around with way better resumes than
me and a far better skill set, but don't go telling me to stand in awe
of someone who found this kind of hole in some big name website. Wanting
fame and respect for XSS on stuff like Goggle is like asking for respect
'cos you lifted Paris Hilton's wallet, or jimmied the door on the back
of Microsoft's shipping warehouse.

There is nothing gloriously technical about it, there is no elegance,
only a clever trick.



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/