Re: [Full-disclosure] on xss and its technical merit

you see you are arguing how useful xss can be for an attacker, but the point
of this argument is

1) how hard is it find xss in applications
2) how hard it is to successfully exploit the vulnerability

compared to other vulnerabilities xss is way down on the scale

i also believe this is what pdp wanted to argue as he believes xss is on the
same scale as other bugs following 1 and 2

On Nov 4, 2007 2:28 PM, <nexus@xxxxxxxxxxxx> wrote:

Hash: SHA1

reepex wrote:
1) XSS isnt techincal no matter how its used
I totally disagree with you.. isn't technical for those who cannot
realize how much powerful can be a xss, especially if persistent.

2) people who use xss on pentests/real hacking/anything but phishing are
lame and only use it because they cannot write real exploits (non-web)
couldnt find any other web bugs (sql injection, cmd exec,file include,
Imho the pentesting will move day by day closer to web applications
flaws testing, since the web applications are self written by webmasters
and more exposed to possible bugs. Concerning sql inj or rfi are not
more difficult to be discovered..

3) XSS does not have a place on this list or any other security list and
remember when the idea of making a seperate bugtraq for xss was proposed
i still think it should be done.
Dunno about that, even if i agree that all the xss flaws found should
not be reported here, they would be too much.

4) if you go into a pentest/audit and all you get out is xss then its a
failed pentest and the customer should get a refund.
I don't agree with this too for the same reasons as before.

5) publishing xss shows your weakness and that you dont have the ability
find actual bugs ( b/c xss isnt a vuln its crap )
Imho a xss is a vuln as much as the others, since if used smartly could
get quite dangerous.

Reading a report from zone-h i read that the most effective hacking
cause it's the xss.. i don't know if i shall agree with this, but
obviously it should make us think about it.


Version: GnuPG v1.4.7 (GNU/Linux)


Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia -