Full Disclosure mailing list archives

Re: on xss and its technical merit

From: "J. Oquendo" <sil () infiltrated net>
Date: Wed, 12 Dec 2007 13:29:21 -0500

Byron Sonne wrote:

In terms of a technically interesting challenge, it sounds about as
exciting as picking fights with 10 year olds. Shit man, most of this
stuff is more about fooling people than anything. Yawn. I was bored
tricking or weaseling passwords out of datacentre employees over the
phone 20 years ago. Now I'm supposed to get excited 'cos some retards
are doing it over the web?


I agree to an extent however I do know some pretty skillful people on
all sorts of levels use xss in conjuction with leveraging a network.

A safe assumption. In fact, if it's on the web, it's a safe assumption
it's crap anyways. Or is that Crap2.0?


What's that old adage on "assume". "Forward facing" sites can be
leveraged to disclosure other information. E.g., Write an XSS to run
commands on the system itself for say a week. Eventually you will see
signs of someone logging into said system. Construct an XSS attack to
embed the necessary tools to leverage your way into the backbone. Not
unlikely a difficult thing to do considering you managed to XSS attack
the site in the first place.

What you/we see too often on this and other mailing list is stupidity
a-la "I just XSS and popup up w00t now give me credit!" That is not what
I consider a hack I consider it stupidity. What would have impressed me
would be someone using a curl POST with a proxy, dumping binaries and
having those binaries run with the user privileges of the webserver. One
misconfigured webserver (chown -Rf root:wheel) and its a wrap.


-- 
====================================================
J. Oquendo

SGFA #579 (FW+VPN v4.1)
SGFE #574 (FW+VPN v4.1)

"I hear much of people's calling out to punish the
guilty, but very few are concerned to clear the
innocent." Daniel Defoe

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xF684C42E

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Re: on xss and its technical merit reepex (Dec 09)
- <Possible follow-ups>
- Re: on xss and its technical merit coderman (Dec 12)
  - Re: on xss and its technical merit Byron Sonne (Dec 12)
- Re: on xss and its technical merit Jay (Dec 12)
  - Re: on xss and its technical merit Byron Sonne (Dec 12)
    - Re: on xss and its technical merit J. Oquendo (Dec 12)
- Re: on xss and its technical merit Fredrick Diggle (Dec 12)
  - Re: on xss and its technical merit Joao Inacio (Dec 12)
    - Re: on xss and its technical merit Fredrick Diggle (Dec 12)
  - Re: on xss and its technical merit Morning Wood (Dec 13)
    - Re: on xss and its technical merit Fredrick Diggle (Dec 13)
    - Message not available
    - Re: on xss and its technical merit Fredrick Diggle (Dec 13)
- Re: on xss and its technical merit Jay (Dec 12)
  - Re: on xss and its technical merit Fredrick Diggle (Dec 12)
  - Re: on xss and its technical merit Byron Sonne (Dec 12)
    - Re: on xss and its technical merit Valdis . Kletnieks (Dec 12)

(Thread continues...)