On Nov 4, 2007 2:41 PM, pdp (architect) <[EMAIL PROTECTED]> wrote: > 1) XSS isnt techincal no matter how its used > > Also, as buffer overflows and other attacks, which are more or less > related to them, attackers need to take into consideration the > execution flow and as such make the attack stealthier.
I agree with this on a very high level but not in actual application. Having limited chars in a xss isnt really comparable to having limited characters in a buffer overflow. having A-Za-z0-9 in xss only limits what scripting elements you can use while the same for bin exploiting makes you rely only on opcodes and addresses in that range. Writing alpanumeric shellcode compared to writing limited xss ( esp with the ease you can redirect to other pages and thus not be limited at all ) is not even a close comparison technically. Also "controlling execution flow" of a browser which you only control javascript or similar is no where near as challenging as having to control the execution of a binary or even moreso a kernel after you have destroyed much of its data and have to repair it to a usable state after. > 2) people who use xss on pentests/real hacking/anything but phishing > > XSS is bar far the only way to run untrusted code within the origins of a > trusted domain > without having a browser vulnerability on first place. SQL Injection > and file inclusion attacks still exists, I deal with them on a daily > basis, but the attack surface is largely mitigated by various types of > frameworks which power most of the modern applications. However, why > do you need SQL Injection when you can perform the needed action on > behalf of the user by using XSS? It is safer and a lot stealthier. If > you want to change someones details or want to get some data out, XSS > is completely valid type of attack. With software (bin) vulns you arent only relying on a user or browser or anything. you have vulnerabilities in the server software or perimeter devices so you are cutting out any "user interaction" ( which is a very important thing ), but maybe i am caring too much about your wording of "bar far the only". also with xss you are limited to the tasks that web application can do unlike full control of the server which allows you to do whatever you want and allows for much deeper penetration into the network. > the people I've seen who use XSS today, have a vast background on > traditional attack techniques. though, their number is very small > mainly because the topic hasn't reached the level of maturity as other > topics already have. We must know different people because the people i know that tout xss are people that found out about xss and sql injection and have never moved on and consider themselves 'security professionals' > Not true. If you don't know, XSS is a top priority today. It is > present on almost all websites/application. I am not sure who you are > working for and whether you are doing any pentesting but I can tell > you something: people are interested in XSS and they are afraid of it. > I must say that there is a huge gap of knowledge and understandings > that needs to be filled but the situation is getting better with every > single day. Today, companies are interested in Web2.0. They are > interested of the impact this technology will have on their > organization. There are numerous of things corporate people worry > about when it comes to it. XSS is one of them. > ok and this is a technical debate not about people getting ripped off which is what businesses care about. just because xss affects businesses alot does not make it anymore technical or worthwhile to 'research' > > I used to rate XSS as low sometimes as medium risk two years ago. > Today, if they are unauthenticated, I rate them as HIGH. Why? Open > your eyes. XSS is not only about getting the victim running some code. > There are a number of things you can do. Do you know that if CNN has > XSS on their site and I manage to inject some google adds and kind of > spread around the vector on a couple of bookmarking sites, I can make > tones of money. Think about it. > > a) CNN is a very important site. > b) Add Clicks will cost more. > c) Social bookmarking is a way of life (look at DIGG) > d) Social bookmarking sites can be spammed (research OnlyWire) > > You have all the components of a successful attack. What about forging > stories? Or performing Black PR? Or maybe even Black SEO? The limit is > only your imagination. Unfortunately, some people lack the imagination > so others have to show them the way. Everything you listed is related (loosely) to phishing, scamming,fraud, etc not to anything technical or groundbreaking. While things like hijacking adsense may be interesting ( which they are ), they do not require technical feats to accomplish. its simple techniques which any script kiddie can accomplish. > > 5) publishing xss shows your weakness and that you dont have the > > publishing XSS makes you look stupid as well publishing a DoS cuz you > haven't investigated enough to see whether and how your findings can > be exploited. we agree!! > reepex, I am sorry but all your statements are groundless. I was > expecting something more from you, especially after we exchanged a few > private emails. sometimes, I get the feeling that you actually know > what you are talking about. you definitely know a few things but > c'mon, really... give me something juicy... > Yea after reading my original thing i admit it was pretty weak. i hope i fixed it up here.
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/