XSS isn’t insecure
Okay, the title might be a tad inaccurate, but that’s the basic premise of this article at Neosmart.net I came accross today called “What XSS isn’t“. I have so many problems with the article it’s hard to keep all of them straight in my head at the same time. Firstly, he describes this as only a problem in JavaScript (obviously this isn’t just JavaScript, it’s also Visual Basic, Flash, Java, etc… etc…). Secondly, he basically says that applications that have XSS in them are well written and XSS does not an insecurity make. Wow.
If I make a system with a buffer overflow in it, intentionally, and hand it to a thousand people, by his argument since it was designed that way it’s not insecure. I just couldn’t disagree more. I thought the definition of insecure was something that compromised your security. I personally think password, credit card, pin numbers, social security numbers, etc… constitute something I wouldn’t feel “secure” in handing to a bad guy. I wonder if Pete would feel the same and if not, he is welcome to post those on this site.
I feel bad for developers who have to deal with XSS, but that doesn’t mean that they have well written programs. Well, obviously I think his opinion is pretty mis-informed to say the least, but I’ll let you make up your own mind on this one.
June 25th, 2006 at 1:12 am
Neosmart is a sad reflection of the steady increase of moronic uneducated amateurs attempting to enter the computer security field.
His article is perhaps the stupidest security related commentary I’ve ever read in my life. Even the rewritten version screams ignorance. XSS is perhaps the most dangerous security vulnerability that is currently affecting popular websites, due to the extremely large quantity of vulnerable sites and ease of exploitation. Calling it a “buzzword” is no different from calling identity theft a fad that can be ignored.
Additionally, it seems he fails to address the fact that XSS can often be injected into forums and other similar CGI applications, and thereby affect users without the need for any social engineering at all. Even if social engineering is necessary for an attack, that does not in any way make XSS a lesser threat.
My hope is that people entering the web development field will know to ignore trash like Neosmart, and learn that proper security is no “buzzword,” but sadly it seems more and more moronic and lazy developers ignore basic principles and put their users at huge risk.
Lastly, the kid(s) running NeoSmart need to keep their ignorant mouths shut and let real developers decide what’s a threat or not. “Computer Guru” my ass.
June 25th, 2006 at 9:21 am
Thanks for the post, webwormx. This is my favorite part of the article (my comments in brackets):
“The problem isn’t so much in the attack itself [yes, it is] as much as it is in the usage of the term [no, it isn’t]. XSS is not a real security vulnerability in a product or script [huh? Yes it is] since it does not directly result in the loss of data integrity [wrong, cookie theft is loss of data integrity, and look at Jeremiah’s GMail hack, I’d call that loss of data integrity], but rather can be used as a tool in social engineering attacks [anything can, that’s a stupid comment] and can never compromise the security of a server/host under any conditions [uh, no, that’s incorrect, it definitely can, listen to Jeremiah Grossman’s talk at Blackhat this summer, and anyway, it can easily be used to proxy injection attacks or SQL injection, so that’s just flat out wrong] nor that of an end-user on its own [again, wrong, cookie theft].”
He just truely doesn’t get it. It’s sad when people call themselves Gurus when they really have no idea what they are even talking about.
I think that’s part of the problem with the security industry these days. You get a lot of vaguely smart kids who ran their first buffer overflow and now are self proclaimed security experts. id and I have about 20 years combined experience in security, and I’d be the first to admit, I know jack and or shit about lots of areas of security. It’s just too broad a field to be a “Guru” at it. That’s a mark of ignorance. Knowing what you don’t know is one of the biggest assets of an actual security expert.
June 26th, 2006 at 9:30 am
Okay, it looks like all is right in the world… the neosmart website is now down with this error message, “This Account Has Been Suspended Please contact the billing/support department as soon as possible.”
Looks like XSS has the power to kill people’s accounts. Well, if not XSS, talking about XSS anyway.
June 26th, 2006 at 3:55 pm
It appears it’s back up. Interesting. Looks like Pete forgot to pay his bill, but it’s back online now.
June 28th, 2006 at 2:20 pm
Lol, the funniest thing is that his search module is XSS vulnerable xD
http://neosmart.net/blog/index.php?s=%3Cdiv+style%3D%60background-color%3Ared%3Bwidth%3A100%25%3Bheight%3A100%25%3Bcolor%3Awhite%3B%60%3EXSS+Vulnerable%3C%2Fdiv%3E
after looking for…
XSS Vulnerable
June 28th, 2006 at 5:02 pm
Hahah, nice! Gurus always have it tough. I love it. Way to go!
July 15th, 2006 at 3:24 am
I stumbled upon NeoSmart’s article today and I wonder why so many people got it stuck in their heads that XSS isn’t an important problem. Does nobody remember the phpbb or the “samy is my hero” worm?