<br><br><div class="gmail_quote">On Nov 4, 2007 4:43 PM, pdp (architect) <<a href="mailto:pdp.gnucitizen@googlemail.com">pdp.gnucitizen@googlemail.com</a>> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div class="Ih2E3d">><br>> lets say 10000 servers are running a vuln ftpd and another 10000 are running<br>> the same open source web app. Which would you rather have the explot for?<br>> also which would be more practical to attack? assuming you have the same
<br>> system and a good exploit you could get all the 10000 ftpds, while the xss<br>> on 10000 msg boards would require 10000 users to view the page you attacked.<br>><br><br></div>well I will go for the 10000 ftpds in general. However, it really
<br>depends on what I am doing. As I said, these FTPDs may give you access<br>to the system but probably not access to the data which to me is a lot<br>more interesting. In this case 10000 XSS sounds a lot more valuable.<br>
<div class="Ih2E3d"></div></blockquote><div><br> Which 'data' are you talking about? the servers info (in this case the server running the ftpd daemon) or the data/personal machines of the users of the ftpd?<br>
<br> I would rather have control of the ftpd then simply backdoor the daemon to work on indivivual users, just as I would rather control on the web server itself rather than any pre-exsiting xss bugs.<br><br>again the whole point is that you do not need xss ever if you have client side exploits or access to the server itself.
<br> <br> </div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">There are XSS script kiddies as well Buffer Overflow script kiddies.<br>Just because you can find XSS does not mean that you've done something
<br>amazing and extraordinary. It takes skills and a lot of effort to make<br>something out of it. But as I said before, open your mind. There are<br>endless potentials when it comes to XSS.<br></blockquote><div><br>yes and i guess bad for you is that the only xss you really see posted (fd, milw0rm, security focus) is people posting <script>alert('hi')</script>
<br><br> </div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><br>BTW, it does look like an achievement when you find a XSS inside an<br>application that 1000 more people play with (look for similar bugs) on
<br>a daily basis. XSS in some small apps are stupid. XSS on the default<br>Google Search Interface is as valuable as remotely exploitable buffer<br>overflow for Linux 2.6.x kernels (distribution independent).<br><div><div class="Wj3C7c">
<br></div></div></blockquote></div><br>Again i think if you are attacking the users of a site instead of the site itself this is acceptable but your attacks could become much more hazardous if you owned the google server itself (maybe a stretch in the case of google) and added whatever code you wanted to the front page/ or embedded your nice browser exploit in the page. either of these ways seems much more valuable then xssing people who are signed in and visited your page.
<br><br>also (unless im missing) something in another email you mentioned like 15 different kinds of xss which I am sure are all interesting in their own way but the most you can get out of them is simple browser games. <br>
<br>