The term “proof of concept” is an interesting convention used by many security auditers. I ran accross Jericho’s article on the Open Source Vulnerability Database discussing why the nomenclature PoC is no longer a valid convention. (Further, function=[XSS] or function=[SQL] are no longer valid either.) Once upon a time it was safer to disclose that there was an issue in things without outright explaining every detail of the exploit found. These days, it is so trivial to exploit issues it’s just easier for everone’s sake if you actually type out the vector you used.
I’ve actually noticed the same thing myself. One of the hardest parts of XSS is locating what is and isn’t valid XSS. Some things can include HTML injection but there is no way to reasonably exploit the vulnerability. Does that make it less scary? Yes! The reason XSS is scary is because it can lead to information disclosure, but if there is no way to get another user to see the HTML you injected, then it’s not a real vulnerability. Sloppy coding? Yes. Vulnerability? No.
Jericho’s point was that it is either very trivial to exploit or it isn’t. If it is, then why bother hiding it behind a [XSS] tag? If it isn’t trivial, then explain the steps you have to take to exploit it, otherwise, the disclosure isn’t going to mean anything to anyone, because they won’t be able to see your work. One great example is this cross site scripting vulnerability found in Php-fusion a few days ago. Frankly, this is a very difficult thing to exploit as it doesn’t work under most circumstances (IE: you cannot just use an image tag and get automatic execution). You’d have to wrap it in an iframe, or call a remote site that included it, or something… either requiring social engineering or HTML injection, neither of which are obvious from the report. While still interesting, this vulnerability is nearly useless for anyone who is at all new to the exploit in question.
His point is a good one. Part of the value the XSS Cheat Sheet provides and other tools similar to it is that it has been culled together with every unique vector known to help auditors. Without knowing the tricks that make these things possible, it’s not up to date, and ultimately the community suffers. So give up your zero day if you have it!
I’m writing about this article, not just because Jericho is writing about it, and not just because he’s linking to the XSS Cheat Sheet, and not just because I’ve known him for years, but also because he’s right. I think part of the problem is that people assume if they give actual examples they’ll end up like the virus writers who just got nailed. Just because you leave the vector on there, doesn’t mean you have to disclose the name of the company who is vulnerable. Explaining vectors does not a criminal make. The amusing part is that PoC is actually an inaccurate term, because it’s not a proof, it’s an example.