Greetings! On Sun, 4 Nov 2007 13:26:17 -0600 reepex <[EMAIL PROTECTED]> wrote: > "we are talking about whether XSS is as technical as other security > disciplines. We are also talking about whether it should have a > deserved an recognized place among FD readers and contributers. [...] > 1) XSS isnt techincal no matter how its used [...] > 3) XSS does not have a place on this list or any other security list > and i remember when the idea of making a seperate bugtraq for xss was > proposed and i still think it should be done.
XSS is a variant on missing or lax input verification. Thus all other forms of input-nonverification like buffer overflows or char(0) injections or the like should be handeled similarily. In its simplest version XSS could be used for phishing - which is bad enough for banking or business portals. Depending on the application other elevations might be possible through XSS like session stealing, cmd/sql injects, etc. Especially if such an elevated XSS was detected for a software it definitely would have a place on security mailing lists. But it should be more qualified than just "XSS found on ....". Just running a XSS scanner is lame - whereas finding out all consequences and possible attack vectors and maybe even posting a patch might be a worthwile posting. Bye Volker -- Volker Tanger http://www.wyae.de/volker.tanger/ -------------------------------------------------- [EMAIL PROTECTED] PGP Fingerprint 378A 7DA7 4F20 C2F3 5BCC 8340 7424 6122 BB83 B8CB _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
