Bugtraq mailing list archives
Re: On product vulnerability history and vulnerability complexity
From: "Steven M. Christey" <coley () linus mitre org>
Date: Tue, 4 Apr 2006 11:11:45 -0400 (EDT)
On Tue, 4 Apr 2006, Javor Ninov wrote:
So you mean that XSS is not trivial and difficult to spot ? For today code XSS is unacceptable and speaks very [poorly] for the author.
A lot of XSS might be "lame," but some of it is rather interesting and complex. Our terminology might not be precise enough to capture this, but not all XSS is created equal, and that should be accounted for in trying to measure how well a product has been designed and implemented. I think it's perfectly understandable if a vendor doesn't realize that this input: <script< will bypass their regexp that strips out anything between a "<" and ">", but it can still be rendered by browsers that automatically treat the second "<" as if it is the closing ">" Or this input: java script:alert('hi') which, despite having a CRLF right in the middle of a special keyword, can still be processed. Or, as was recently discussed in a paper announced to this list, by whitelisting just "<b>" tags using PHP's strip_tags() function, then this will work: <b onmouseover="badstuff">hello</b> Or the DOM-based XSS attacks where there are no syntactic clues to the issue, at least not in the usual places... If you look at a number of the XSS issues in popular web mail services, many of them involve non-standard browser behaviors. - Steve
Current thread:
- Re: On product vulnerability history and vulnerability complexity Crispin Cowan (Apr 03)
- Re: On product vulnerability history and vulnerability complexity Gadi Evron (Apr 03)
- Re: On product vulnerability history and vulnerability complexity Steven M. Christey (Apr 03)
- Re: On product vulnerability history and vulnerability complexity Javor Ninov (Apr 04)
- Re: On product vulnerability history and vulnerability complexity Steven M. Christey (Apr 04)
- Re: On product vulnerability history and vulnerability complexity ArkanoiD (Apr 03)
- Re: On product vulnerability history and vulnerability complexity Forrest J. Cavalier III (Apr 03)
- Re: On product vulnerability history and vulnerability complexity Gadi Evron (Apr 04)
- Re: On product vulnerability history and vulnerability complexity Gadi Evron (Apr 03)