Full Disclosure mailing list archives
Re: Re: New Web Vulnerability - Cross-Site Tracing
From: Michal Zalewski <lcamtuf () ghettot org>
Date: Fri, 24 Jan 2003 00:40:00 -0800 (PST)
On Thu, 23 Jan 2003, Steven M. Christey wrote:
I think it's an important stat because *if* XSS becomes widely exploited, then it could pose a significant threat.
I hate to state the (seemingly) obvious, but... I think this is not the reason why this discussion started in the first place. My personal opinion, XSS attacks are not going to become widely exploited to abuse credentials any time soon, and there is a number of factors that have been repeated over and over again; the most obvious reason is that attacks with complex prerequisites that will affect only a very small percentage of the population are just not a "good sell". On the other hand, downplaying an issue is generally a very short-sighted practice in this industry, and the problem of XSS is a legitimate one, even if it does not have a high profile today, or is not likely to gain such a profile in the foreseeable future. I don't think that the profile of the vulnerability itself is what causes people to often have so strong and negative feelings about the issue. I've released several papers on issues no one expected to become a practical attack vector as long as there are other means to attack a system, but have never faced any serious criticism, so what's the deal? Well, it seems to be exactly the same issue as with reporting numerous buffer overflows in non-suid or low profile applications, something that plagued BUGTRAQ +/- two years ago. Critics do not mean to question the legitimacy of the discovery itself, as most of them agree there is some risk in certain rare configurations or specific scenarios. I think it's a good thing to have all the minor glitches traced down and fixed. At the same time, the risk is very low, the exposure is limited. Yet, the volume of such reports is very high. It's easy to type /usr/bin/someapp `perl -e '{print "A"x10000}'` or to enter a tag in a submission form or HTTP headers, but it's quite unlikely such a discovery would cause a major meltdown, but the authors of numerous, numerous advisories pretend it's a high profile issue to get an exposure better than other, more serious research. When the media reports an XSS vulnerability, but not a new BIND hole, with the latter having much better chances of becoming a starting point for the next worm or such - it's not that difficult to understand why people are getting upset and are attacking the researcher. And since XSS vulnerabilities are considered a "novice vulnerability", with many established researchers doing their best to avoid publishing such findings, most of XSS posters are automatically regarded as newbies trying to get more attention than they deserve. Which is sometimes true, sometimes not. *All* vulnerabilities have a value, it's just so easy to miss it when there's a needless hype surrounding them. -- ------------------------- bash$ :(){ :|:&};: -- Michal Zalewski * [http://lcamtuf.coredump.cx] Did you know that clones never use mirrors? --------------------------- 2003-01-23 23:59 -- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: New Web Vulnerability - Cross-Site Tracing, (continued)
- Re: New Web Vulnerability - Cross-Site Tracing Tim Greer (Jan 22)
- Re: New Web Vulnerability - Cross-Site Tracing Jeremiah Grossman (Jan 22)
- Re: New Web Vulnerability - Cross-Site Tracing Tim Greer (Jan 22)
- Re: New Web Vulnerability - Cross-Site Tracing H D Moore (Jan 23)
- Re: Re: New Web Vulnerability - Cross-Site Tracing zeno (Jan 23)
- Re: Re: New Web Vulnerability - Cross-Site Tracing Thor Larholm (Jan 23)
- RE: Re: New Web Vulnerability - Cross-Site Tracing Richard M. Smith (Jan 23)
- Re: Re: New Web Vulnerability - Cross-Site Tracing Michal Zalewski (Jan 24)