scriptalert('YAY!')/script
- Original Message -
From: Fredrick Diggle [mailto:[EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Cc: full-disclosure@lists.grok.org.uk
Sent: Wed, 12 Dec 2007 13:17:18 -0600
Subject: Re: [Full-disclosure] on xss and its technical merit
Thank you info sec guru for your
Naysayers of XSS want some elegant exciting actions.
Its not. Its a case of not sanitizing input that allows
arbitrary code to be executed. Simple things like umm
secure coding, url scan, mod_security, noscript could
combat this easily.
That is probably the largest part of what makes it such
Dec 2007 12:21:14 -0600
Subject: Re: [Full-disclosure] on xss and its technical merit
What no one seems to realize is that XSS by its very nature is not a
vulnerability. It is a perfectly valid mechanism to aid in exploitation
but
can anyone cite me an example where xss in and of itself
[mailto: [EMAIL PROTECTED]
To: full-disclosure@lists.grok.org.uk
Sent: Wed, 12 Dec 2007 12:21:14 -0600
Subject: Re: [Full-disclosure] on xss and its technical merit
What no one seems to realize is that XSS by its very nature is not a
vulnerability. It is a perfectly valid
4. use xss to IFRAME or otherwise leverage a client exploit
imho this is by far worse than any of the other vectors mentioned
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by
WRONG! Once again xss is not the exploit it is just the delivery mechanism.
You aren't doing anything here that you couldn't also do by posting the
exploit on your damn live journal right next to the paris hilton video.
Did you end up paying damages?
YAY!
On Dec 13, 2007 11:46 AM, Morning Wood
so who won? can we argue about CSRF yet? perhaps an interlude with
0day or !0day moderated by Gadi...
On Nov 5, 2007 12:00 AM, pdp (architect) [EMAIL PROTECTED] wrote:
comments inlined
hey look i top posted
pdp we are not talking about whether XSS is suitable for all kinds of
pdp attacks.
coderman wrote:
so perhaps xss should be discussed much less is the only
concrete thing we all agree on?
FTW
It's pretty obvious that finding XSS has a low entrance barrier; this
explains its popularity. It's just not very impressive. At the same
time, if finding an xss gets some kid
, 12 Dec 2007 09:48:07 -0500
Subject: Re: [Full-disclosure] on xss and its technical merit
coderman wrote:
so perhaps xss should be discussed much less is the only
concrete thing we all agree on?
FTW
It's pretty obvious that finding XSS has a low entrance barrier; this
explains its popularity
-disclosure_at_lists.grok.org.uk
Sent: Wed, 12 Dec 2007 09:48:07 -0500
Subject: Re: [Full-disclosure] on xss and its technical merit
coderman wrote:
* so perhaps xss should be discussed much less is the only *
* concrete thing we all agree on? *
FTW
It's pretty obvious that finding XSS has a low entrance barrier
their remarkable works and amaze us all.
Jay
- Original Message -
From: Fredrick Diggle [mailto:[EMAIL PROTECTED]
To: full-disclosure@lists.grok.org.uk
Sent: Wed, 12 Dec 2007 12:21:14 -0600
Subject: Re: [Full-disclosure] on xss and its technical merit
What no one seems to realize
All of the retards on the list will no doubt ask me for a secure session
management schema but I am a firm believer that sharing is communism so
screw you.
Did I call that or what :D
Yes you are implementing it badly. to establish session you no doubt require
authentication based on some known
Byron Sonne wrote:
In terms of a technically interesting challenge, it sounds about as
exciting as picking fights with 10 year olds. Shit man, most of this
stuff is more about fooling people than anything. Yawn. I was bored
tricking or weaseling passwords out of datacentre employees over the
Its amazing the last 2 posters even have
to time to read FD.
It's not without it's uses :)
With all the super important super secret
projects they must be working.
LOL
believes XSS and XSRF as viable attack vectors
The other side thinks its rubbish.
That's a disingenuous distortion. I
On Wed, 12 Dec 2007 15:23:15 EST, Byron Sonne said:
That's a disingenuous distortion. I happen to think they are both viable
attack vectors AND rubbish.
The sad part is that in so many cases, total rubbish is a viable attack vector.
I'm ambivalent on whether the preceding sentence needs a
after the last email where they asked for a resume i did not feel like
making up a fake resume like i made a fake company so I ignored them... only
3 days later simon sends this email begging me to stay in contact and work
him
I think snosoft but be in serious trouble if they look to merge with
comments inlined
On Nov 5, 2007 12:07 AM, reepex [EMAIL PROTECTED] wrote:
On Nov 4, 2007 4:43 PM, pdp (architect) [EMAIL PROTECTED]
wrote:
lets say 1 servers are running a vuln ftpd and another 1 are
running
the same open source web app. Which would you rather have the
via BlackBerry from T-Mobile
-Original Message-
From: reepex [EMAIL PROTECTED]
Date: Sun, 4 Nov 2007 13:26:17
To:full-disclosure@lists.grok.org.uk, pdp (architect)
[EMAIL PROTECTED]
Subject: [Full-disclosure] on xss and its technical merit
Pdp architect
comments inlined
On Nov 4, 2007 8:01 PM, Volker Tanger [EMAIL PROTECTED] wrote:
Greetings!
On Sun, 4 Nov 2007 13:26:17 -0600
reepex [EMAIL PROTECTED] wrote:
we are talking about whether XSS is as technical as other security
disciplines. We are also talking about whether it should have a
-Mobile
-Original Message-
From: reepex [EMAIL PROTECTED]
Date: Sun, 4 Nov 2007 18:11:50
To:pdp (architect) [EMAIL PROTECTED], full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] on xss and its technical merit
you see i do not agree with this because you are relying on other
, 2007 2:26 PM
To: full-disclosure@lists.grok.org.uk; pdp (architect)
Subject: [Full-disclosure] on xss and its technical merit
Pdp architect and I have been emailing back and forth about whether xss has
a place in fd, bugtraq, or the security research area at all. He decided
that we should start
Pdp architect and I have been emailing back and forth about whether xss has
a place in fd, bugtraq, or the security research area at all. He decided
that we should start a discussion about in on here and gets peoples
unmoderated opinion. This discussion should not concern whether its
important
My thoughts are that if I take my car to Ford for maintenance then I don't want
them to not put down that a bulb burnt out because it's lame. It's often the
little problems that lead to far bigger problems later. Evaluating if
something should be reported or not based on lameness is
Greetings!
On Sun, 4 Nov 2007 13:26:17 -0600
reepex [EMAIL PROTECTED] wrote:
we are talking about whether XSS is as technical as other security
disciplines. We are also talking about whether it should have a
deserved an recognized place among FD readers and contributers.
[...]
1) XSS isnt
On Nov 4, 2007 2:41 PM, pdp (architect) [EMAIL PROTECTED]
wrote:
1) XSS isnt techincal no matter how its used
Also, as buffer overflows and other attacks, which are more or less
related to them, attackers need to take into consideration the
execution flow and as such make the attack
i seemed to reply to nexxus as you were writing your original reply which
ive since replied to. about this email though...
On Nov 4, 2007 3:13 PM, pdp (architect) [EMAIL PROTECTED]
wrote:
XSS today is where buffer overflows were 10-15 year ago. Moreover, did
you missed when I said that 99% of
thanks reepex for starting the discussion. it will be really great if
we can get more people involved into this. it seams that there is a
lot of confusion on the merits of XSS. I hope that we can answer all
of your questions once and for all.
1) XSS isnt techincal no matter how its used
XSS can
ok... so you are rejecting my well put arguments... no problem
1) how hard is it find xss in applications
How hard was to find stack overflows in 1990 or even before that? 'A'
x 1 or 'A' * 1 and then check the EIP for
0x41414141... great trick! I was still a kid when people were
from T-Mobile
-Original Message-
From: reepex [EMAIL PROTECTED]
Date: Sun, 4 Nov 2007 13:26:17
To:full-disclosure@lists.grok.org.uk, pdp (architect) [EMAIL PROTECTED]
Subject: [Full-disclosure] on xss and its technical merit
Pdp architect and I have been emailing back and forth about
On 11/4/07, reepex [EMAIL PROTECTED] wrote:
On Nov 4, 2007 3:13 PM, pdp (architect) [EMAIL PROTECTED]
wrote:
This
is not very offline.
So you are taking peoples offline conversations and posting them
against their wishes?
Are you trying to make a name for yourself by saying look this
comments inlined...
On Nov 4, 2007 9:26 PM, reepex [EMAIL PROTECTED] wrote:
i seemed to reply to nexxus as you were writing your original reply which
ive since replied to. about this email though...
On Nov 4, 2007 3:13 PM, pdp (architect) [EMAIL PROTECTED]
wrote:
XSS today is where
dude, are you a bot? cuz you answer like a bot.. completely out of
context and without any sort of sense... listen English is not my
first language either but at least I am trying. I would suggest to go
back an re-read the email over and over again until you understand the
meaning.
On Nov 4, 2007
as valid as well.
Nate
Sent via BlackBerry from T-Mobile
-Original Message-
From: reepex [EMAIL PROTECTED]
Date: Sun, 4 Nov 2007 13:26:17
To:full-disclosure@lists.grok.org.uk, pdp (architect) [EMAIL PROTECTED]
Subject: [Full-disclosure] on xss and its technical merit
Pdp
wow you are an idiot. could you please stay off this discussion. we wanted
valid (professional) opinions not your retarded comments.
On Nov 4, 2007 5:07 PM, Dude VanWinkle [EMAIL PROTECTED] wrote:
On 11/4/07, reepex [EMAIL PROTECTED] wrote:
On Nov 4, 2007 3:13 PM, pdp (architect) [EMAIL
On Nov 4, 2007 4:43 PM, pdp (architect) [EMAIL PROTECTED]
wrote:
lets say 1 servers are running a vuln ftpd and another 1 are
running
the same open source web app. Which would you rather have the explot
for?
also which would be more practical to attack? assuming you have the
(architect)
[EMAIL PROTECTED]
Subject: [Full-disclosure] on xss and its technical merit
Pdp architect and I have been emailing back and forth about whether xss
has a place in fd, bugtraq, or the security research area at all. He decided
that we should start a discussion about in on here
comments inlined! I have to cuz you inlined yours
On Nov 4, 2007 9:04 PM, reepex [EMAIL PROTECTED] wrote:
On Nov 4, 2007 2:41 PM, pdp (architect) [EMAIL PROTECTED]
wrote:
1) XSS isnt techincal no matter how its used
Also, as buffer overflows and other attacks, which are more or less
plz consider reading n3d3v agenda before replaying to his mails.
On 11/5/07, pdp (architect) [EMAIL PROTECTED] wrote:
comments inlined! I have to cuz you inlined yours
On Nov 4, 2007 9:04 PM, reepex [EMAIL PROTECTED] wrote:
On Nov 4, 2007 2:41 PM, pdp (architect) [EMAIL PROTECTED]
wrote:
38 matches
Mail list logo