Re: on xss and its technical merit

[Byron Sonne <blsonne () rogers com>]

> Its not a sexy beast that you can blog about

That hasn't stopped some people ;)

I've done some serious thinking about this, and I've come to the
conclusion that hacking at web stuff is innately boring. Maybe it's like
watching bicycling on TV; fun to do but boring as hell to watch or
listen to other people talk about.

Ooooh xss csrf htmlmnopqrstuvwxyz bah! The only thing possibly
interesting about it is the target, what you scam them for, or what you
get access to. The problem is that anything www facing is pretty much in
the realm of the sheep, so of course almost everything is going to be
rotten with holes. You have community colleges pumping out 'web experts'
or dudes who read a redhat+apache+php+mysql+foo howto and now are seen
as gurus.

In terms of a technically interesting challenge, it sounds about as
exciting as picking fights with 10 year olds. Shit man, most of this
stuff is more about fooling people than anything. Yawn. I was bored
tricking or weaseling passwords out of datacentre employees over the
phone 20 years ago. Now I'm supposed to get excited 'cos some retards
are doing it over the web?

> If an app is vuln to XSS chances are the rest of the app
> is crap anyways...

A safe assumption. In fact, if it's on the web, it's a safe assumption
it's crap anyways. Or is that Crap2.0?


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/