Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: on xss and its technical merit
From: reepex <reepex () gmail com>
Date: Sun, 4 Nov 2007 15:04:17 -0600

On Nov 4, 2007 2:41 PM, pdp (architect) <pdp.gnucitizen () googlemail com>
wrote:

1) XSS isnt techincal no matter how its used

Also, as buffer overflows and other attacks, which are more or less
related to them, attackers need to take into consideration the
execution flow and as such make the attack stealthier.


I agree with this on a very high level but not in actual application. Having
limited chars in a xss isnt really comparable to having limited characters
in a buffer overflow.  having A-Za-z0-9 in xss only limits what scripting
elements you can use while the same for bin exploiting makes you rely only
on opcodes and addresses in that range. Writing alpanumeric shellcode
compared to writing limited xss ( esp with the ease you can redirect to
other pages and thus not be limited at all ) is not even a close comparison
technically.

Also "controlling execution flow" of a browser which you only control
javascript or similar is no where near as challenging as having to control
the execution of a binary or even moreso a kernel after you have destroyed
much of its data and have to repair it to a usable state after.



2) people who use xss on pentests/real hacking/anything but phishing

XSS is bar far the only way to run untrusted code within the origins of a
trusted domain
without having a browser vulnerability on first place. SQL Injection
and file inclusion attacks still exists, I deal with them on a daily
basis, but the attack surface is largely mitigated by various types of
frameworks which power most of the modern applications. However, why
do you need SQL Injection when you can perform the needed action on
behalf of the user by using XSS? It is safer and a lot stealthier. If
you want to change someones details or want to get some data out, XSS
is completely valid type of attack.


With software (bin) vulns you arent only relying on a user or browser or
anything. you have vulnerabilities in the server software or perimeter
devices so you are cutting out any "user interaction" ( which is a very
important thing ), but maybe i am caring too much about your wording of "bar
far the only".

also with xss you are limited to the tasks that web application can do
unlike full control of the server which allows you to do whatever you want
and allows for much deeper penetration into the network.



the people I've seen who use XSS today, have a vast background on
traditional attack techniques. though, their number is very small
mainly because the topic hasn't reached the level of maturity as other
topics already have.


We must know different people because the people i know that tout xss are
people that found out about xss and sql injection and have never moved on
and consider themselves 'security professionals'


Not true. If you don't know, XSS is a top priority today. It is
present on almost all websites/application. I am not sure who you are
working for and whether you are doing any pentesting but I can tell
you something: people are interested in XSS and they are afraid of it.
I must say that there is a huge gap of knowledge and understandings
that needs to be filled but the situation is getting better with every
single day. Today, companies are interested in Web2.0. They are
interested of the impact this technology will have on their
organization. There are numerous of things corporate people worry
about when it comes to it. XSS is one of them.


 ok and this is a technical debate not about people getting ripped off which
is what businesses care about.  just because xss affects businesses alot
does not make it anymore technical or worthwhile to 'research'



I used to rate XSS as low sometimes as medium risk two years ago.
Today, if they are unauthenticated, I rate them as HIGH. Why? Open
your eyes. XSS is not only about getting the victim running some code.
There are a number of things you can do. Do you know that if CNN has
XSS on their site and I manage to inject some google adds and kind of
spread around the vector on a couple of bookmarking sites, I can make
tones of money. Think about it.

 a) CNN is a very important site.
 b) Add Clicks will cost more.
 c) Social bookmarking is a way of life (look at DIGG)
 d) Social bookmarking sites can be spammed (research OnlyWire)

You have all the components of a successful attack. What about forging
stories? Or performing Black PR? Or maybe even Black SEO? The limit is
only your imagination. Unfortunately, some people lack the imagination
so others have to show them the way.


Everything you listed is related (loosely) to phishing, scamming,fraud, etc
not to anything technical or groundbreaking.  While things like hijacking
adsense may be interesting ( which they are ), they do not require technical
feats to accomplish. its simple techniques which any script kiddie can
accomplish.




5) publishing xss shows your weakness and that you dont have the

publishing XSS makes you look stupid as well publishing a DoS cuz you
haven't investigated enough to see whether and how your findings can
be exploited.


we agree!!



reepex, I am sorry but all your statements are groundless. I was
expecting something more from you, especially after we exchanged a few
private emails. sometimes, I get the feeling that you actually know
what you are talking about. you definitely know a few things but
c'mon, really... give me something juicy...


Yea after reading my original thing i admit it was pretty weak. i hope i
fixed it up here.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault