Full Disclosure: Re: posting xss notifications in sites vs software packages

[Info <info () inshell net>]

A general question: is it legal to search for XSS vulnerabilities on
custom websites ?

Julien



On 02/08/2012 04:37 PM, Packet Storm wrote:
> On Tue, Feb 07, 2012 at 06:18:24PM -0500, b wrote:
> > What is the point of posting notifications of XSS vulnerabilities in
> > specific web sites instead of alerts of xss vulns in specific software
> > packages?
> >
> > This question was prompted by all the postings by that vulnerability lab
> > stuff.
> In some cases, a cross site scripting vulnerability in a given site can affect a large user base and the code is 
> custom to the business.  As an example, a cross site scripting issue in gmail is probably more catastrophic than a 
> cross site scripting vuln in some half-rate CMS.  Not to mention there's the other situation where small website 
> design shops repackage other open source code, brand it as part of their offering, and never provide updates to their 
> customers.  The Internet is a mess.  $0.02
>
> -Todd
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/