[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] posting xss notifications in sites vs software packages



A general question: is it legal to search for XSS vulnerabilities on
custom websites ?

Julien



On 02/08/2012 04:37 PM, Packet Storm wrote:
> On Tue, Feb 07, 2012 at 06:18:24PM -0500, b wrote:
>> What is the point of posting notifications of XSS vulnerabilities in
>> specific web sites instead of alerts of xss vulns in specific software
>> packages?
>>
>> This question was prompted by all the postings by that vulnerability lab
>> stuff.
> In some cases, a cross site scripting vulnerability in a given site can 
> affect a large user base and the code is custom to the business.  As an 
> example, a cross site scripting issue in gmail is probably more catastrophic 
> than a cross site scripting vuln in some half-rate CMS.  Not to mention 
> there's the other situation where small website design shops repackage other 
> open source code, brand it as part of their offering, and never provide 
> updates to their customers.  The Internet is a mess.  $0.02
>
> -Todd
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/