Full Disclosure mailing list archives
Re: on xss and its technical merit
From: reepex <reepex () gmail com>
Date: Sun, 4 Nov 2007 18:07:17 -0600
On Nov 4, 2007 4:43 PM, pdp (architect) <pdp.gnucitizen () googlemail com> wrote:
lets say 10000 servers are running a vuln ftpd and another 10000 arerunningthe same open source web app. Which would you rather have the explotfor?also which would be more practical to attack? assuming you have the same system and a good exploit you could get all the 10000 ftpds, while thexsson 10000 msg boards would require 10000 users to view the page youattacked.well I will go for the 10000 ftpds in general. However, it really depends on what I am doing. As I said, these FTPDs may give you access to the system but probably not access to the data which to me is a lot more interesting. In this case 10000 XSS sounds a lot more valuable.
Which 'data' are you talking about? the servers info (in this case the server running the ftpd daemon) or the data/personal machines of the users of the ftpd? I would rather have control of the ftpd then simply backdoor the daemon to work on indivivual users, just as I would rather control on the web server itself rather than any pre-exsiting xss bugs. again the whole point is that you do not need xss ever if you have client side exploits or access to the server itself.
There are XSS script kiddies as well Buffer Overflow script kiddies. Just because you can find XSS does not mean that you've done something amazing and extraordinary. It takes skills and a lot of effort to make something out of it. But as I said before, open your mind. There are endless potentials when it comes to XSS.
yes and i guess bad for you is that the only xss you really see posted (fd, milw0rm, security focus) is people posting <script>alert('hi')</script>
BTW, it does look like an achievement when you find a XSS inside an application that 1000 more people play with (look for similar bugs) on a daily basis. XSS in some small apps are stupid. XSS on the default Google Search Interface is as valuable as remotely exploitable buffer overflow for Linux 2.6.x kernels (distribution independent).
Again i think if you are attacking the users of a site instead of the site itself this is acceptable but your attacks could become much more hazardous if you owned the google server itself (maybe a stretch in the case of google) and added whatever code you wanted to the front page/ or embedded your nice browser exploit in the page. either of these ways seems much more valuable then xssing people who are signed in and visited your page. also (unless im missing) something in another email you mentioned like 15 different kinds of xss which I am sure are all interesting in their own way but the most you can get out of them is simple browser games.
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- on xss and its technical merit reepex (Nov 04)
- Re: on xss and its technical merit Volker Tanger (Nov 04)
- Re: on xss and its technical merit pdp (architect) (Nov 05)
- Message not available
- Re: on xss and its technical merit reepex (Nov 04)
- Re: on xss and its technical merit pdp (architect) (Nov 04)
- Re: on xss and its technical merit reepex (Nov 04)
- Re: on xss and its technical merit Dude VanWinkle (Nov 04)
- Re: on xss and its technical merit pdp (architect) (Nov 04)
- Re: on xss and its technical merit reepex (Nov 04)
- Re: on xss and its technical merit pdp (architect) (Nov 04)
- Re: on xss and its technical merit reepex (Nov 04)
- Re: on xss and its technical merit pdp (architect) (Nov 05)
- Re: on xss and its technical merit reepex (Nov 04)
- Re: on xss and its technical merit Volker Tanger (Nov 04)
- Re: on xss and its technical merit reepex (Nov 04)
- Re: on xss and its technical merit pdp (architect) (Nov 04)
- Re: on xss and its technical merit crazy frog crazy frog (Nov 04)
- Re: on xss and its technical merit pdp (architect) (Nov 04)
- Re: on xss and its technical merit reepex (Nov 04)
- Re: on xss and its technical merit pdp (architect) (Nov 05)
- Re: on xss and its technical merit nate . mcfeters (Nov 05)