Cenzic 232 Patent
Paid Advertising
web application security lab

XSS Fiction

I saw a post this morning point to a fiction story over at Michael Daw’s website about how XSS can be used to steal national secrets. It’s based loosely off of the concepts that Jeremiah built and it references pdp (architect)’s paper on XSSing the Lan. Basically this is just a sensationalist outlook of what is possible, but it’s still an interesting narrative.

I’ve never been a fearmonger, but for the first time in my life I’ve found myself telling people, “I don’t know a company I couldn’t break into.” Every system I’ve found has vulnerabilities. There was something Bruce Schneier wrote a number of years back (and I’m paraphrasing here) that said that for every man hour it takes to build security it takes n+1 to break it. That is, if there are vibration mics in the ground it will take exactly n+1 the time it took to place them and test them and get them working properly as it would to break in.

On Mythbusters episode 59 the other night the crew cracked into several physical devices like fingerprint scanners, and walked past various versions of motion detection devices (with something as simple as a pane of glass). The point being here are always way around security, physical or otherwise. In the case of JavaScript port scanning it is similar to a Trojan horse. The idea is to sneak something otherwise normall and innocuous into an internal interface.

JavaScript seemed the most likely candidate, so we tackled that first. Yes, that means nearly every company on earth is vulnerable to that. Is that the only weapon in the arsenal? No way. Are there ways to fix it? We’re already working on them. Will that solve things? No way. It will just shift the problem elsewhere at best, and at worst, it will continue to be an esoteric attack vector that is only used by the few people who really get it’s consequences.

One Response to “XSS Fiction”

  1. Every System Has Vulnerabilities « …something else to write home about. Says:

    […] Reading today at ha.ckers.org web application security lab, I was intrigued by RSnake’s comments about internet security: […]