mailing list archives
Re: on xss and its technical merit
From: Volker Tanger <vtlists () wyae de>
Date: Sun, 4 Nov 2007 21:01:35 +0100
On Sun, 4 Nov 2007 13:26:17 -0600
reepex <reepex () gmail com> wrote:
"we are talking about whether XSS is as technical as other security
disciplines. We are also talking about whether it should have a
deserved an recognized place among FD readers and contributers.
1) XSS isnt techincal no matter how its used
3) XSS does not have a place on this list or any other security list
and i remember when the idea of making a seperate bugtraq for xss was
proposed and i still think it should be done.
XSS is a variant on missing or lax input verification. Thus all other
forms of input-nonverification like buffer overflows or char(0)
injections or the like should be handeled similarily.
In its simplest version XSS could be used for phishing - which is bad
enough for banking or business portals. Depending on the application
other elevations might be possible through XSS like session stealing,
cmd/sql injects, etc.
Especially if such an elevated XSS was detected for a software it
definitely would have a place on security mailing lists. But it should
be more qualified than just "XSS found on ....". Just running a XSS
scanner is lame - whereas finding out all consequences and possible
attack vectors and maybe even posting a patch might be a worthwile
Volker Tanger http://www.wyae.de/volker.tanger/
vtlists () wyae de PGP Fingerprint
378A 7DA7 4F20 C2F3 5BCC 8340 7424 6122 BB83 B8CB
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/