[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] posting xss notifications in sites vs software packages
- To: b <b@xxxxxxxxxxxxxxxxxx>
- Subject: Re: [Full-disclosure] posting xss notifications in sites vs software packages
- From: Greg Knaddison <greg.knaddison@xxxxxxxxxx>
- Date: Wed, 8 Feb 2012 07:13:11 -0700
On Tue, Feb 7, 2012 at 4:18 PM, b <b@xxxxxxxxxxxxxxxxxx> wrote:
> What is the point of posting notifications of XSS vulnerabilities in
> specific web sites instead of alerts of xss vulns in specific software
> packages?
I think there are at least 2 reasons:
1. We have pretty good data about bugs in published software packages
because those vendors will usually disclose the issues and we can
track it and know what's going on. But we don't have good data for
security bugs in completely custom code. I think it's helpful to prove
the point that custom code has security bugs too, even if we don't see
CVE numbers for it.
2. If you are a customer of one of those sites you can use the
knowledge of a bug in the site to take proactive measures like
disabling javascript/flash/java/etc. when visiting that site if you
know it has xss. Or simply not logging in until a CSRF issue is fixed.
Regards,
Greg
--
Director Security Services | +1-720-310-5623
Skype: greg.knaddison | http://twitter.com/greggles | http://acquia.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/