i think some of the problem with the importance of XSS lies in the availability of quality client side bugs. i read a quote once that said xss is for people that dont have client sides and while i think this is a bit short sighted it does have some merit. If you were attacking a target and you had a choice of where to put your research and development hours between a xss bug that you could do some cool shit with but not quite get shell or a client side stack overflow that you can write an exploit for with very minimal effort (thank you skylined)and gets you full system control? lets face it your average infosec guy and random company doesn't really have the understanding to fully grasp the importance of a vulnerability class they rely on whitehats to do that for them. They look at what people are working on and say oh that must be whats important if this other vuln class was important then there would be alot of people working on it. now while i agree alot of xss work has been done lately (and by lately i mean the last 2 to 3 years or so) i dont think alot of that work has had a chance to filter down to joe blow admin yet. lets face it they have to hear it 19 times before they get it anyway.
ri0t
No comments:
Post a Comment