Re: on xss and its technical merit

[reepex <reepex () gmail com>]

after the last email where they asked for a resume i did not feel like
making up a fake resume like i made a fake company so I ignored them... only
3 days later simon sends this email begging me to stay in contact and work
him

I think snosoft but be in serious trouble if they look to merge with
companies and hire employees based on troll posts from FD

On Nov 5, 2007 10:59 AM, Simon Smith <simon () snosoft com> wrote:

> Thought you were interested in contract work?
>
> reepex wrote:
> > you see you are arguing how useful xss can be for an attacker, but the
> > point of this argument is
> >
> > 1) how hard is it find xss in applications
> > 2) how hard it is to successfully exploit the vulnerability
> >
> > compared to other vulnerabilities xss is way down on the scale
> >
> > i also believe this is what pdp wanted to argue as he believes xss is on
> > the same scale as other bugs following 1 and 2
> >
> > On Nov 4, 2007 2:28 PM, < nexus () playhack net
> > <mailto:nexus () playhack net>> wrote:
> >
> > reepex wrote:
> > > 1) XSS isnt techincal no matter how its used
> > I totally disagree with you.. isn't technical for those who cannot
> > realize how much powerful can be a xss, especially if persistent.
> >
> > > 2) people who use xss on pentests/real hacking/anything but
> > phishing are
> > > lame and only use it because they cannot write real exploits
> > (non-web) or
> > > couldnt find any other web bugs (sql injection, cmd exec,file
> > include,
> > > whatever)
> > Imho the pentesting will move day by day closer to web applications
> > flaws testing, since the web applications are self written by webmasters
> > and more exposed to possible bugs. Concerning sql inj or rfi are not
> > more difficult to be discovered..
> >
> > > 3) XSS does not have a place on this list or any other security
> > list and i
> > > remember when the idea of making a seperate bugtraq for xss was
> > proposed and
> > > i still think it should be done.
> > Dunno about that, even if i agree that all the xss flaws found should
> > not be reported here, they would be too much.
> >
> > > 4) if you go into a pentest/audit and all you get out is xss then
> > its a
> > > failed pentest and the customer should get a refund.
> > I don't agree with this too for the same reasons as before.
> >
> > > 5) publishing xss shows your weakness and that you dont have the
> > ability to
> > > find actual bugs ( b/c xss isnt a vuln its crap )
> > Imho a xss is a vuln as much as the others, since if used smartly could
> > get quite dangerous.
> >
> > Reading a report from zone-h i read that the most effective hacking
> > cause it's the xss.. i don't know if i shall agree with this, but
> > obviously it should make us think about it.
> >
> > bye
> >
> > /nexus
>
> > ------------------------------------------------------------------------
>
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
>
>
> --
>
> - simon
>
> ----------------------
> http://www.snosoft.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/