Re: New Web Vulnerability - Cross-Site Tracing

[xss-is-lame () hushmail com]

-----BEGIN PGP SIGNED MESSAGE-----

I would like to point out that in order to execute an "XST" attack, you have to be able to able to get 
JavaScript/Flash/etc executed on the victim's system as a PREREQUISITE.

So, to summarize:

If you can get arbitrary JavaScript executed on a web client, you can use this attack method to get arbitrary 
JavaScript executed on a web client, in a different zone.

Is this a useful thing to know if you're looking for a way to steal cookies? Sure!  Is this a revolutionary tactic that 
will allow you to compromise the security of any of the webservers listed in the whitepaper? No.

This isn't any different from the many, many, many known ways of violating someone's HTTP client if you can get them to 
execute Flash or JavaScript or ActiveX of your choice.  We've seen dozens of holes in IE's security constraints that 
allow attackers to view files, steal cookies or execute commands.  Unlike Guninski or GreyMagic's advisories, this one 
has simply been built up to ridiculous proportions with marketting language in the press release and in the ExtremeTech 
article.
-----BEGIN PGP SIGNATURE-----
Version: Hush 2.2 (Java)
Note: This signature can be verified at https://www.hushtools.com/verify

wmAEARECACAFAj4t5mkZHHhzcy1pcy1sYW1lQGh1c2htYWlsLmNvbQAKCRDs/5lboNFb
hs94AJoCAIHCTBclVGgSJrvXtm2ZUxJN7QCfQw+wgkQjMwnwaFTJFMVrl4fwMKI=
=J5ak
-----END PGP SIGNATURE-----




Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2 

Big $$$ to be made with the HushMail Affiliate Program: 
https://www.hushmail.com/about.php?subloc=affiliate&l=427