Re: [Full-disclosure] Re: Do world's famous companies take care of their security?

----- Original Message ----- From: "Steven M. Christey" <coley@xxxxxxxxx>
To: <bugtraq@xxxxxxxxxxxxxxxxx>; <full-disclosure@xxxxxxxxxxxxxxxxx>
Sent: Monday, July 31, 2006 10:43 PM
Subject: [Full-disclosure] Re: Do world's famous companies take care oftheir security?


Vulnerability databases (CVE included) historically have NOT recorded
site-specific XSS and other issues like sensitive data disclosure.
The primary reason is that most vuln DBs are focused on issues in
software that a system administrator would be directly responsible
for. Software services, which is basically what you're talking about
with PayPal, Google, and the like, are not under direct control of the
sysadmin - plus, the vendor merely needs to flip a switch (i.e. patch
the bug) and the problem is instantly fixed for all customers. The
lines between "site-specific" and "distributable" software are
becoming more blurry however, e.g. with hosted solutions.


And they should not! It`s not thier job.

XSS bugs are easy to discover and easy to fix, so what's the problem?

This is a common misconception. The basic XSS issues are easy to
discover and fix, and there are still far too many of them in
software. That's partially because with XSS, every single
input/output is suspect, and you simply don't get that large of an
attack surface with other vuln types. Over the years, XSS has
demonstrated a rich set of attack variants, such as the recent 8-bit
XSS bypass discussed by Kurt Huwig
(http://seclists.org/lists/bugtraq/2006/Jun/0549.html)

- Steve

There are many hardening tools (mod_security, iislockdown, IDS/IPS systems etc) which definitely CAN protect a vulnerable Web application and the victim from different kinds of attacks, including XSS. But there are no such tools installed, or they are not properly configured for most web sites. And I`m asking WHY? Is it the same reason as PayPal ignores XSS (or possibly other) flaws?



Valery

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Relevant Pages

  • Re: [Full-disclosure] Arin.net XSS
    ... It works in IE just fine and probably some other browsers. ... This prevents the script from being interpreted properly via the Address bar. ... Subject: [Full-disclosure] Arin.net XSS ... I think that XSS in many instances is a serious issues. ...
    (Full-Disclosure)
  • RE: [Full-disclosure] Re: Arin.net XSS
    ... You need to copy and paste the full URL into your browser for the XSS to take place. ... Full-Disclosure - We believe in it. ... If you have received this email in error please notify the system manager. ... message contains confidential information and is intended only for the individual named. ...
    (Full-Disclosure)
  • [Full-disclosure] Widespread vulnerabilities in Libero.it/Infostrada.it web portals
    ... Following the advisory of the XSS vulnerability found on Libero.it ... vulns are not occasional and a hardening in Libero/infostrada portals ... This PoC widely demonstrate how an attacker can use another XSS vuln + ...
    (Full-Disclosure)
  • Re: [Full-disclosure] informative...
    ... type of vulnerability after reporting the XSS to the owner. ... I feel free to talking about anything, in the spirit of full-disclosure. ... If someone wants to public "0day" XSS without report it to the owner, ...
    (Full-Disclosure)
  • [Full-disclosure] Re: Do worlds famous companies take care of their security?
    ... vulnerabilities in reply to XSS vulns in PayPal and Gadi Evron ... attack surface with other vuln types. ...
    (Full-Disclosure)