Cenzic 232 Patent
Paid Advertising
web application security lab

CSO Magazine Writeup on XSS Disclosure

As anyone who has been following the site for any time will know I’ve been on both sides of vulnerability disclosure. Most of the time I think it’s a boring topic that was solved by Rain Forrest Puppy all those years ago with his RFPolicy. Since then, however, the nature of vulnerabilities have changed with the advent of heavily known XSS exploits. CSO magazine contacted me while they were in the process of a thorough writeup on XSS disclosure. Unlike software vulnerabilities of yesterday XSS provides a unique challenge for software researchers.

Generally I’m of the mentality that if it is easier to disclose it to the company in question (if I have personal contacts with them) I will do so, but generally speaking the simple act of disclosing is horribly complex and could get you into more trouble than not depending on how the interaction proceeds. That’s why when Scott from CSO magazine contacted me, I was happy to lay out the current battlefield. Companies have been notoriously difficult to get in contact with, they have not paid attention when their sites have been found to be vulnerable and then they can backlash even after responsible disclosure. Of course that doesn’t apply to all, but definitely to some, and why would a vulnerability researcher take the chance?

Granted, I have bills to pay and I’m not going to go to war for any individual researcher if someone with a badge asks me to tell them where I found information, and if I have a reason to protect a company, I’ll do so with the best of my abilities. But overall I am a consumer advocate attempting to find the balance between protecting the consumer and not completely screwing over the companies who have the issues. That’s why all my demonstrations are meant to be innocuous and non-malicious even to the user who views them. What malicious people do with that information later is out of my control, as it is out of my control if someone uses my paper on filter evasion of chat to send death threats.

What we are providing is a tool-set for the people who are interested in fixing these issues. We provide a communication path to allow companies and security researchers to communicate with one another. That communication will increase in the future, with some projects that are on the horizon, but for now, at least the sla.ckers.org forum is available for anyone to use. Feel free to ask questions of myself and other researchers. This is an emerging threat, so while no one knows how to completely solve all possible issues at this exact moment, we are getting closer and closer to that point every day. Eventually, with the help of the vulnerable enterprises, the vulnerable browser companies and the software developers that write vulnerable code, I am sure we will find all the solutions to these problems. That can only come with help from one another.

3 Responses to “CSO Magazine Writeup on XSS Disclosure”

  1. WhiteAcid Says:

    I’m impressed with that writeup, both the style of writing (which is to be expected) and the technical accuracy of it. I find it amusing that this was posted so shortly after I got some “friendly” feedback on a blog post I wrote:
    http://blogs.securiteam.com/index.php/archives/786#comment-60051

  2. RSnake Says:

    Wow, I hadn’t seen those comments. Interesting. That was a good writeup on Kyran’s worm. Well what can you expect from the user community?

  3. Mephisto Says:

    Wow! those are some…uh…nice comments WhiteAcid. I wonder how they would have responded if the attack were malicious and it did compromise user data and system functionality?

    Very good write up on the issues associated with disclosure, whether done responsibly or not. Fortunately, I have never had to deal with any negativity in the times I’ve have done responsible disclosures, most companies have been very understanding about things and only want to do what’s right to protect themselves and their customers. Others on the other hand can take it as a personal attack to make them look bad and hurt their business.