i think some of the problem with the importance of XSS lies in the availability of quality client side bugs. i read a quote once that said xss is for people that dont have client sides and while i think this is a bit short sighted it does have some merit. If you were attacking a target and you had a choice of where to put your research and development hours between a xss bug that you could do some cool shit with but not quite get shell or a client side stack overflow that you can write an exploit for with very minimal effort (thank you skylined)and gets you full system control? lets face it your average infosec guy and random company doesn't really have the understanding to fully grasp the importance of a vulnerability class they rely on whitehats to do that for them. They look at what people are working on and say oh that must be whats important if this other vuln class was important then there would be alot of people working on it. now while i agree alot of xss work has been done lately (and by lately i mean the last 2 to 3 years or so) i dont think alot of that work has had a chance to filter down to joe blow admin yet. lets face it they have to hear it 19 times before they get it anyway.
ri0t
Wednesday, May 7, 2008
Tuesday, May 6, 2008
The importance of the lack of importance of XSS
Am I the only one who finds the lack of importance placed on XSS a bit annoying? Can it be the lack of understanding behind the vulnerability for such reasons? I would like to think that most peeps in the security industry would raise a flag on xss issues for more than one reason, but at the very least for shitty coding practices! Thoughts on this?
Subscribe to:
Posts (Atom)