Re: Re: New Web Vulnerability - Cross-Site Tracing

[Michal Zalewski <lcamtuf () ghettot org>]

On Thu, 23 Jan 2003, Steven M. Christey wrote:

> I think it's an important stat because *if* XSS becomes widely
> exploited, then it could pose a significant threat.

I hate to state the (seemingly) obvious, but...  I think this is not the
reason why this discussion started in the first place. My personal
opinion, XSS attacks are not going to become widely exploited to abuse
credentials any time soon, and there is a number of factors that have been
repeated over and over again; the most obvious reason is that attacks with
complex prerequisites that will affect only a very small percentage of the
population are just not a "good sell". On the other hand, downplaying an
issue is generally a very short-sighted practice in this industry, and the
problem of XSS is a legitimate one, even if it does not have a high
profile today, or is not likely to gain such a profile in the foreseeable
future. I don't think that the profile of the vulnerability itself is what
causes people to often have so strong and negative feelings about the
issue. I've released several papers on issues no one expected to become a
practical attack vector as long as there are other means to attack a
system, but have never faced any serious criticism, so what's the deal?

Well, it seems to be exactly the same issue as with reporting numerous
buffer overflows in non-suid or low profile applications, something that
plagued BUGTRAQ +/- two years ago. Critics do not mean to question the
legitimacy of the discovery itself, as most of them agree there is some
risk in certain rare configurations or specific scenarios. I think it's a
good thing to have all the minor glitches traced down and fixed.

At the same time, the risk is very low, the exposure is limited. Yet, the
volume of such reports is very high. It's easy to type /usr/bin/someapp
`perl -e '{print "A"x10000}'` or to enter a tag in a submission form or
HTTP headers, but it's quite unlikely such a discovery would cause a major
meltdown, but the authors of numerous, numerous advisories pretend it's a
high profile issue to get an exposure better than other, more serious
research.

When the media reports an XSS vulnerability, but not a new BIND hole, with
the latter having much better chances of becoming a starting point for the
next worm or such - it's not that difficult to understand why people are
getting upset and are attacking the researcher. And since XSS
vulnerabilities are considered a "novice vulnerability", with many
established researchers doing their best to avoid publishing such
findings, most of XSS posters are automatically regarded as newbies trying
to get more attention than they deserve. Which is sometimes true,
sometimes not. *All* vulnerabilities have a value, it's just so easy to
miss it when there's a needless hype surrounding them.

-- 
------------------------- bash$ :(){ :|:&};: --
 Michal Zalewski * [http://lcamtuf.coredump.cx]
    Did you know that clones never use mirrors?
--------------------------- 2003-01-23 23:59 --



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html