[Full-disclosure] To XSS or not?
xploitable at gmail.com
Sun Jul 23 19:52:49 BST 2006
On 7/23/06, Gadi Evron <ge at linuxbox.org> wrote:
> Today, a serious cookie-stealing XSS in paypal was reported.
Although I can tell you what's going on here.
XSS is suffering an identity crisis and a public relations disaster.
There is a lack of high profile hacks with XSS now.
We had the Myspace worm, although that was really a harmless proof of
concept incident and no harm really came of it.
What XSS really needs is a major incident to bring it back into the
I don't think its the vulnerability class, more the vendors attached.
The bigger the vendor the better, the bigger the security incident the better.
cross site scripting has the attributes to carry out a 'shock and awe'
attack, although theres a lack of people out there willing to do it.
If all the unpatched XSS'ing vulnerabilities were exploited all at the
same time in an internet wide coordinated attack, then that would make
people spill their drinks.
The core issue here though is, input validation flaws are too easy for
programmers to make....
Greater awareness of input validation pratices is needed amoung web
application developers, then the vulnerabilities reported would start
'HOW NOT TO CREATE INPUT VALIDATION FLAWS IN YOUR WEB APPLICATIONS'
I think it says more about vendors, than it says about the 'kiddies'
who report them. After all, who is lamer, the kiddies finding the bugs
or the multi billion dollar corporations who don't take input
There should be stiff penalties within corporations. If programmers
were told your dick would be chopped off if you let a product go live
without penetration testing it first with an automated XSS auditing
tool, then you can bet the XSS flaws would go away tomorrow. Ok, maybe
just cut their pay for that month, not their dicks off, but you get
The issue here isn't the kiddies, its corporations allowing the flaws
to happen, and not making corporate dev teams get into trouble for
What happens to developers within corporations when serious flaws are
found? The developers don't get sacked, flaws are just treated as
'just something that happens' and nothing bad happens to individuals.
The developer shrugs his shoulders and carries on coding.
Its not mailing lists who should be taking cross site scripting
seriously, its the corporate users sitting in their office cubes who
don't care about cross site scripting thats causing the most damage to
the reputation of cross site scripting as a legitimate vector for
blackhat script kid hackers to use to mount attacks.
I say public stonings to developer teams for every cross site
scripting reported is a reasonable punishment to me.
But seriously, laws are needed to make it more illegal for
corporations to shurg off cross site scripting being left unpatched.
And laws to make sure the invidual programmer gets fined as well as
the corporation as a whole.
That way there would be _no_ cross site scripting vulnerabilities left
unpatched and mailing lists would not be flooded with them.
Money is the only language corporations understand, so if they thought
Google, Yahoo, Paypal knew they were going to be fined, the landscape
would be different, and corporations would have no choice but to take
all reasonable steps to prevent input validation flaws in their
software from being a possibility for hackers in the first place.
You must go back to why these flaws are present in software to begin
with, so really tackle the real issue of whats going on here, and the
finger doesn't point towards the script kids and (or) the hackers, the
buck stops at the door step of the vendor. And these are the people
(the vendors) who should face large fines in a court of law.
It's time to get tough, its time for a major crackdown on vendor
responsbility and being held to account criminally.
Forget all these hacker crack downs and raiding folks homes at 4am and
taking away their computers for analysis, thats not solving anything
in the security industry.
The crackdowns need to come at the corporate level, and in extreme
cases security officers and executives of corporations should be
threatend with fines.
It is the corporations who should be the ones getting into trouble,
not hackers and script kids.
-End of rant, but if you strip down some of what i said, you'll see
its the only way for the security industry to progress and really
tackle the fundamental reasons why its so easy to find cross site
scripting now a days, and i don't think cheat sheets and the wider
exposure of x s s and automated detection tools are to blame. Its the
vendors! Threaten them with heavy fines, problem 100% solved.
Full-Disclosure is hosted and sponsored by Secunia.