Re: [Full-disclosure] on xss and its technical merit

2007-12-13 Thread Jay
scriptalert('YAY!')/script - Original Message - From: Fredrick Diggle [mailto:[EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: full-disclosure@lists.grok.org.uk Sent: Wed, 12 Dec 2007 13:17:18 -0600 Subject: Re: [Full-disclosure] on xss and its technical merit Thank you info sec guru for your

Re: [Full-disclosure] on xss and its technical merit

2007-12-13 Thread Byron Sonne
Naysayers of XSS want some elegant exciting actions. Its not. Its a case of not sanitizing input that allows arbitrary code to be executed. Simple things like umm secure coding, url scan, mod_security, noscript could combat this easily. That is probably the largest part of what makes it such

Re: [Full-disclosure] on xss and its technical merit

2007-12-13 Thread Fredrick Diggle
Dec 2007 12:21:14 -0600 Subject: Re: [Full-disclosure] on xss and its technical merit What no one seems to realize is that XSS by its very nature is not a vulnerability. It is a perfectly valid mechanism to aid in exploitation but can anyone cite me an example where xss in and of itself

Re: [Full-disclosure] on xss and its technical merit

2007-12-13 Thread Fredrick Diggle
[mailto: [EMAIL PROTECTED] To: full-disclosure@lists.grok.org.uk Sent: Wed, 12 Dec 2007 12:21:14 -0600 Subject: Re: [Full-disclosure] on xss and its technical merit What no one seems to realize is that XSS by its very nature is not a vulnerability. It is a perfectly valid

Re: [Full-disclosure] on xss and its technical merit

2007-12-13 Thread Morning Wood
4. use xss to IFRAME or otherwise leverage a client exploit imho this is by far worse than any of the other vectors mentioned ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by

Re: [Full-disclosure] on xss and its technical merit

2007-12-13 Thread Fredrick Diggle
WRONG! Once again xss is not the exploit it is just the delivery mechanism. You aren't doing anything here that you couldn't also do by posting the exploit on your damn live journal right next to the paris hilton video. Did you end up paying damages? YAY! On Dec 13, 2007 11:46 AM, Morning Wood

Re: [Full-disclosure] on xss and its technical merit

2007-12-12 Thread coderman
so who won? can we argue about CSRF yet? perhaps an interlude with 0day or !0day moderated by Gadi... On Nov 5, 2007 12:00 AM, pdp (architect) [EMAIL PROTECTED] wrote: comments inlined hey look i top posted pdp we are not talking about whether XSS is suitable for all kinds of pdp attacks.

Re: [Full-disclosure] on xss and its technical merit

2007-12-12 Thread Byron Sonne
coderman wrote: so perhaps xss should be discussed much less is the only concrete thing we all agree on? FTW It's pretty obvious that finding XSS has a low entrance barrier; this explains its popularity. It's just not very impressive. At the same time, if finding an xss gets some kid

Re: [Full-disclosure] on xss and its technical merit

2007-12-12 Thread Jay
, 12 Dec 2007 09:48:07 -0500 Subject: Re: [Full-disclosure] on xss and its technical merit coderman wrote: so perhaps xss should be discussed much less is the only concrete thing we all agree on? FTW It's pretty obvious that finding XSS has a low entrance barrier; this explains its popularity

Re: [Full-disclosure] on xss and its technical merit

2007-12-12 Thread Fredrick Diggle
-disclosure_at_lists.grok.org.uk Sent: Wed, 12 Dec 2007 09:48:07 -0500 Subject: Re: [Full-disclosure] on xss and its technical merit coderman wrote: * so perhaps xss should be discussed much less is the only * * concrete thing we all agree on? * FTW It's pretty obvious that finding XSS has a low entrance barrier

Re: [Full-disclosure] on xss and its technical merit

2007-12-12 Thread Jay
their remarkable works and amaze us all. Jay - Original Message - From: Fredrick Diggle [mailto:[EMAIL PROTECTED] To: full-disclosure@lists.grok.org.uk Sent: Wed, 12 Dec 2007 12:21:14 -0600 Subject: Re: [Full-disclosure] on xss and its technical merit What no one seems to realize

Re: [Full-disclosure] on xss and its technical merit

2007-12-12 Thread Fredrick Diggle
All of the retards on the list will no doubt ask me for a secure session management schema but I am a firm believer that sharing is communism so screw you. Did I call that or what :D Yes you are implementing it badly. to establish session you no doubt require authentication based on some known

Re: [Full-disclosure] on xss and its technical merit

2007-12-12 Thread J. Oquendo
Byron Sonne wrote: In terms of a technically interesting challenge, it sounds about as exciting as picking fights with 10 year olds. Shit man, most of this stuff is more about fooling people than anything. Yawn. I was bored tricking or weaseling passwords out of datacentre employees over the

Re: [Full-disclosure] on xss and its technical merit

2007-12-12 Thread Byron Sonne
Its amazing the last 2 posters even have to time to read FD. It's not without it's uses :) With all the super important super secret projects they must be working. LOL believes XSS and XSRF as viable attack vectors The other side thinks its rubbish. That's a disingenuous distortion. I

Re: [Full-disclosure] on xss and its technical merit

2007-12-12 Thread Valdis . Kletnieks
On Wed, 12 Dec 2007 15:23:15 EST, Byron Sonne said: That's a disingenuous distortion. I happen to think they are both viable attack vectors AND rubbish. The sad part is that in so many cases, total rubbish is a viable attack vector. I'm ambivalent on whether the preceding sentence needs a

Re: [Full-disclosure] on xss and its technical merit

2007-12-09 Thread reepex
after the last email where they asked for a resume i did not feel like making up a fake resume like i made a fake company so I ignored them... only 3 days later simon sends this email begging me to stay in contact and work him I think snosoft but be in serious trouble if they look to merge with

Re: [Full-disclosure] on xss and its technical merit

2007-11-05 Thread pdp (architect)
comments inlined On Nov 5, 2007 12:07 AM, reepex [EMAIL PROTECTED] wrote: On Nov 4, 2007 4:43 PM, pdp (architect) [EMAIL PROTECTED] wrote: lets say 1 servers are running a vuln ftpd and another 1 are running the same open source web app. Which would you rather have the

Re: [Full-disclosure] on xss and its technical merit

2007-11-05 Thread pdp (architect)
via BlackBerry from T-Mobile -Original Message- From: reepex [EMAIL PROTECTED] Date: Sun, 4 Nov 2007 13:26:17 To:full-disclosure@lists.grok.org.uk, pdp (architect) [EMAIL PROTECTED] Subject: [Full-disclosure] on xss and its technical merit Pdp architect

Re: [Full-disclosure] on xss and its technical merit

2007-11-05 Thread pdp (architect)
comments inlined On Nov 4, 2007 8:01 PM, Volker Tanger [EMAIL PROTECTED] wrote: Greetings! On Sun, 4 Nov 2007 13:26:17 -0600 reepex [EMAIL PROTECTED] wrote: we are talking about whether XSS is as technical as other security disciplines. We are also talking about whether it should have a

Re: [Full-disclosure] on xss and its technical merit

2007-11-05 Thread nate . mcfeters
-Mobile -Original Message- From: reepex [EMAIL PROTECTED] Date: Sun, 4 Nov 2007 18:11:50 To:pdp (architect) [EMAIL PROTECTED], full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] on xss and its technical merit you see i do not agree with this because you are relying on other

Re: [Full-disclosure] on xss and its technical merit

2007-11-05 Thread Eric Rachner
, 2007 2:26 PM To: full-disclosure@lists.grok.org.uk; pdp (architect) Subject: [Full-disclosure] on xss and its technical merit Pdp architect and I have been emailing back and forth about whether xss has a place in fd, bugtraq, or the security research area at all. He decided that we should start

[Full-disclosure] on xss and its technical merit

2007-11-04 Thread reepex
Pdp architect and I have been emailing back and forth about whether xss has a place in fd, bugtraq, or the security research area at all. He decided that we should start a discussion about in on here and gets peoples unmoderated opinion. This discussion should not concern whether its important

Re: [Full-disclosure] [full-disclosure] on xss and its technical merit

2007-11-04 Thread gjgowey
My thoughts are that if I take my car to Ford for maintenance then I don't want them to not put down that a bulb burnt out because it's lame. It's often the little problems that lead to far bigger problems later. Evaluating if something should be reported or not based on lameness is

Re: [Full-disclosure] on xss and its technical merit

2007-11-04 Thread Volker Tanger
Greetings! On Sun, 4 Nov 2007 13:26:17 -0600 reepex [EMAIL PROTECTED] wrote: we are talking about whether XSS is as technical as other security disciplines. We are also talking about whether it should have a deserved an recognized place among FD readers and contributers. [...] 1) XSS isnt

Re: [Full-disclosure] on xss and its technical merit

2007-11-04 Thread reepex
On Nov 4, 2007 2:41 PM, pdp (architect) [EMAIL PROTECTED] wrote: 1) XSS isnt techincal no matter how its used Also, as buffer overflows and other attacks, which are more or less related to them, attackers need to take into consideration the execution flow and as such make the attack

Re: [Full-disclosure] on xss and its technical merit

2007-11-04 Thread reepex
i seemed to reply to nexxus as you were writing your original reply which ive since replied to. about this email though... On Nov 4, 2007 3:13 PM, pdp (architect) [EMAIL PROTECTED] wrote: XSS today is where buffer overflows were 10-15 year ago. Moreover, did you missed when I said that 99% of

Re: [Full-disclosure] on xss and its technical merit

2007-11-04 Thread pdp (architect)
thanks reepex for starting the discussion. it will be really great if we can get more people involved into this. it seams that there is a lot of confusion on the merits of XSS. I hope that we can answer all of your questions once and for all. 1) XSS isnt techincal no matter how its used XSS can

Re: [Full-disclosure] on xss and its technical merit

2007-11-04 Thread pdp (architect)
ok... so you are rejecting my well put arguments... no problem 1) how hard is it find xss in applications How hard was to find stack overflows in 1990 or even before that? 'A' x 1 or 'A' * 1 and then check the EIP for 0x41414141... great trick! I was still a kid when people were

Re: [Full-disclosure] on xss and its technical merit

2007-11-04 Thread nate . mcfeters
from T-Mobile -Original Message- From: reepex [EMAIL PROTECTED] Date: Sun, 4 Nov 2007 13:26:17 To:full-disclosure@lists.grok.org.uk, pdp (architect) [EMAIL PROTECTED] Subject: [Full-disclosure] on xss and its technical merit Pdp architect and I have been emailing back and forth about

Re: [Full-disclosure] on xss and its technical merit

2007-11-04 Thread Dude VanWinkle
On 11/4/07, reepex [EMAIL PROTECTED] wrote: On Nov 4, 2007 3:13 PM, pdp (architect) [EMAIL PROTECTED] wrote: This is not very offline. So you are taking peoples offline conversations and posting them against their wishes? Are you trying to make a name for yourself by saying look this

Re: [Full-disclosure] on xss and its technical merit

2007-11-04 Thread pdp (architect)
comments inlined... On Nov 4, 2007 9:26 PM, reepex [EMAIL PROTECTED] wrote: i seemed to reply to nexxus as you were writing your original reply which ive since replied to. about this email though... On Nov 4, 2007 3:13 PM, pdp (architect) [EMAIL PROTECTED] wrote: XSS today is where

Re: [Full-disclosure] on xss and its technical merit

2007-11-04 Thread pdp (architect)
dude, are you a bot? cuz you answer like a bot.. completely out of context and without any sort of sense... listen English is not my first language either but at least I am trying. I would suggest to go back an re-read the email over and over again until you understand the meaning. On Nov 4, 2007

Re: [Full-disclosure] on xss and its technical merit

2007-11-04 Thread pdp (architect)
as valid as well. Nate Sent via BlackBerry from T-Mobile -Original Message- From: reepex [EMAIL PROTECTED] Date: Sun, 4 Nov 2007 13:26:17 To:full-disclosure@lists.grok.org.uk, pdp (architect) [EMAIL PROTECTED] Subject: [Full-disclosure] on xss and its technical merit Pdp

Re: [Full-disclosure] on xss and its technical merit

2007-11-04 Thread reepex
wow you are an idiot. could you please stay off this discussion. we wanted valid (professional) opinions not your retarded comments. On Nov 4, 2007 5:07 PM, Dude VanWinkle [EMAIL PROTECTED] wrote: On 11/4/07, reepex [EMAIL PROTECTED] wrote: On Nov 4, 2007 3:13 PM, pdp (architect) [EMAIL

Re: [Full-disclosure] on xss and its technical merit

2007-11-04 Thread reepex
On Nov 4, 2007 4:43 PM, pdp (architect) [EMAIL PROTECTED] wrote: lets say 1 servers are running a vuln ftpd and another 1 are running the same open source web app. Which would you rather have the explot for? also which would be more practical to attack? assuming you have the

Re: [Full-disclosure] on xss and its technical merit

2007-11-04 Thread reepex
(architect) [EMAIL PROTECTED] Subject: [Full-disclosure] on xss and its technical merit Pdp architect and I have been emailing back and forth about whether xss has a place in fd, bugtraq, or the security research area at all. He decided that we should start a discussion about in on here

Re: [Full-disclosure] on xss and its technical merit

2007-11-04 Thread pdp (architect)
comments inlined! I have to cuz you inlined yours On Nov 4, 2007 9:04 PM, reepex [EMAIL PROTECTED] wrote: On Nov 4, 2007 2:41 PM, pdp (architect) [EMAIL PROTECTED] wrote: 1) XSS isnt techincal no matter how its used Also, as buffer overflows and other attacks, which are more or less

Re: [Full-disclosure] on xss and its technical merit

2007-11-04 Thread crazy frog crazy frog
plz consider reading n3d3v agenda before replaying to his mails. On 11/5/07, pdp (architect) [EMAIL PROTECTED] wrote: comments inlined! I have to cuz you inlined yours On Nov 4, 2007 9:04 PM, reepex [EMAIL PROTECTED] wrote: On Nov 4, 2007 2:41 PM, pdp (architect) [EMAIL PROTECTED] wrote: