after the last email where they asked for a resume i did not feel like making up a fake resume like i made a fake company so I ignored them... only 3 days later simon sends this email begging me to stay in contact and work him
<br><br>I think snosoft but be in serious trouble if they look to merge with companies and hire employees based on troll posts from FD<br><br><div class="gmail_quote">On Nov 5, 2007 10:59 AM, Simon Smith <<a href="mailto:simon@snosoft.com">
simon@snosoft.com</a>> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">Thought you were interested in contract work?<br><div class="Ih2E3d">
<br>reepex wrote:<br>> you see you are arguing how useful xss can be for an attacker, but the<br>> point of this argument is<br>><br>> 1) how hard is it find xss in applications<br>> 2) how hard it is to successfully exploit the vulnerability
<br>><br>> compared to other vulnerabilities xss is way down on the scale<br>><br>> i also believe this is what pdp wanted to argue as he believes xss is on<br>> the same scale as other bugs following 1 and 2
<br>><br>> On Nov 4, 2007 2:28 PM, < <a href="mailto:nexus@playhack.net">nexus@playhack.net</a><br></div><div><div></div><div class="Wj3C7c">> <mailto:<a href="mailto:nexus@playhack.net">nexus@playhack.net</a>
>> wrote:<br>><br>> reepex wrote:<br>>> 1) XSS isnt techincal no matter how its used<br>> I totally disagree with you.. isn't technical for those who cannot<br>> realize how much powerful can be a xss, especially if persistent.
<br>><br>>> 2) people who use xss on pentests/real hacking/anything but<br>> phishing are<br>>> lame and only use it because they cannot write real exploits<br>> (non-web) or<br>>> couldnt find any other web bugs (sql injection, cmd exec,file
<br>> include,<br>>> whatever)<br>> Imho the pentesting will move day by day closer to web applications<br>> flaws testing, since the web applications are self written by webmasters<br>> and more exposed to possible bugs. Concerning sql inj or rfi are not
<br>> more difficult to be discovered..<br>><br>>> 3) XSS does not have a place on this list or any other security<br>> list and i<br>>> remember when the idea of making a seperate bugtraq for xss was
<br>> proposed and<br>>> i still think it should be done.<br>> Dunno about that, even if i agree that all the xss flaws found should<br>> not be reported here, they would be too much.<br>><br>>> 4) if you go into a pentest/audit and all you get out is xss then
<br>> its a<br>>> failed pentest and the customer should get a refund.<br>> I don't agree with this too for the same reasons as before.<br>><br>>> 5) publishing xss shows your weakness and that you dont have the
<br>> ability to<br>>> find actual bugs ( b/c xss isnt a vuln its crap )<br>> Imho a xss is a vuln as much as the others, since if used smartly could<br>> get quite dangerous.<br>><br>> Reading a report from zone-h i read that the most effective hacking
<br>> cause it's the xss.. i don't know if i shall agree with this, but<br>> obviously it should make us think about it.<br>><br>> bye<br>><br>> /nexus<br><br></div></div>> ------------------------------------------------------------------------
<br><div><div></div><div class="Wj3C7c"><br>> _______________________________________________<br>> Full-Disclosure - We believe in it.<br>> Charter: <a href="http://lists.grok.org.uk/full-disclosure-charter.html" target="_blank">
http://lists.grok.org.uk/full-disclosure-charter.html</a><br>> Hosted and sponsored by Secunia - <a href="http://secunia.com/" target="_blank">http://secunia.com/</a><br><br><br></div></div><font color="#888888">--<br>
<br>- simon<br><br>----------------------<br><a href="http://www.snosoft.com" target="_blank">http://www.snosoft.com</a><br><br></font></blockquote></div><br>