Comments on: Vulnerability found in security tool http://www.thespanner.co.uk/2007/07/18/vulnerability-found-in-security-tool/ A tool for designers dealing with programmers dealing with designers... Tue, 14 Oct 2008 02:00:58 +0000 http://wordpress.org/?v=2.6.2 By: Gareth Heyes http://www.thespanner.co.uk/2007/07/18/vulnerability-found-in-security-tool/#comment-268 Gareth Heyes Sun, 29 Jul 2007 10:36:12 +0000 http://www.thespanner.co.uk/2007/07/18/vulnerability-found-in-security-tool/#comment-268 Chris I know how same origin policy works and it is totally irrelevant to my point. You had a XSS hole which allows anyone to execute Javascript on your site on their behalf. Perhaps you should be more professional and test your tools before trying to downplay the very vulnerabilities that you blog about. I'm not going to continue this discussion because I feel you are just trying to excuse yourself from the embarrassing mistake you made. Chris I know how same origin policy works and it is totally irrelevant to my point. You had a XSS hole which allows anyone to execute Javascript on your site on their behalf. Perhaps you should be more professional and test your tools before trying to downplay the very vulnerabilities that you blog about.

I’m not going to continue this discussion because I feel you are just trying to excuse yourself from the embarrassing mistake you made.

]]> By: Chris Shiflett http://www.thespanner.co.uk/2007/07/18/vulnerability-found-in-security-tool/#comment-265 Chris Shiflett Sun, 29 Jul 2007 04:14:20 +0000 http://www.thespanner.co.uk/2007/07/18/vulnerability-found-in-security-tool/#comment-265 You're not doing yourself any favors by acting haughty and immature. Please try to be a bit more professional; I'm trying to give you the benefit of the doubt. XSS attacks exploit a client-side context and are therefore bound by the same-origin policy: http://en.wikipedia.org/wiki/Same_origin_policy For example, if a web site is mostly static, and the only non-static part is a broken 404 handler that has an XSS vulnerability, exploiting it is almost useless. If a web site doesn't use cookies, or if the cookies it uses aren't sensitive or trusted, stealing them is not the all-powerful exploit you seem to think it is. Consider a blog where a cookie is used to remember someone's name, and the next time that person comments, their name is pre-filled. Stealing such a cookie gains you very little. You can already fill out the form yourself and provide any name you want. The vast majority of people who visit my site are readers. A very small minority join the discussions. An even smaller minority maintain modest profiles. It is the latter group that motivated me to restrict the schemes that the CSRF Redirector allows. Isolating it to its own domain would give me the opportunity to loosen this restriction without putting any of my readers at risk, which is why I mentioned this as an option. I did not elaborate on these points previously out of respect. (In fact, I only mentioned the same-origin policy after it seemed necessary.) You blog about web application security, so explaining the mundane details of XSS seemed disrespectful. The fact that your response lacks this same respect is disappointing. You’re not doing yourself any favors by acting haughty and immature. Please try to be a bit more professional; I’m trying to give you the benefit of the doubt.

XSS attacks exploit a client-side context and are therefore bound by the same-origin policy:

http://en.wikipedia.org/wiki/Same_origin_policy

For example, if a web site is mostly static, and the only non-static part is a broken 404 handler that has an XSS vulnerability, exploiting it is almost useless. If a web site doesn’t use cookies, or if the cookies it uses aren’t sensitive or trusted, stealing them is not the all-powerful exploit you seem to think it is. Consider a blog where a cookie is used to remember someone’s name, and the next time that person comments, their name is pre-filled. Stealing such a cookie gains you very little. You can already fill out the form yourself and provide any name you want.

The vast majority of people who visit my site are readers. A very small minority join the discussions. An even smaller minority maintain modest profiles. It is the latter group that motivated me to restrict the schemes that the CSRF Redirector allows. Isolating it to its own domain would give me the opportunity to loosen this restriction without putting any of my readers at risk, which is why I mentioned this as an option.

I did not elaborate on these points previously out of respect. (In fact, I only mentioned the same-origin policy after it seemed necessary.) You blog about web application security, so explaining the mundane details of XSS seemed disrespectful. The fact that your response lacks this same respect is disappointing.

]]> By: Gareth Heyes http://www.thespanner.co.uk/2007/07/18/vulnerability-found-in-security-tool/#comment-256 Gareth Heyes Tue, 24 Jul 2007 20:13:28 +0000 http://www.thespanner.co.uk/2007/07/18/vulnerability-found-in-security-tool/#comment-256 If you want Chris I shall demo stealing your cookies, reinstate the vulnerability and I will provide you with a link which transfers the cookies from your domain to another domain. If you want Chris I shall demo stealing your cookies, reinstate the vulnerability and I will provide you with a link which transfers the cookies from your domain to another domain.

]]> By: Gareth Heyes http://www.thespanner.co.uk/2007/07/18/vulnerability-found-in-security-tool/#comment-255 Gareth Heyes Tue, 24 Jul 2007 19:54:15 +0000 http://www.thespanner.co.uk/2007/07/18/vulnerability-found-in-security-tool/#comment-255 Huh? lol so you consider a XSS hole on your server to be a slight risk. I suggest you look into XSS. I could transfer the cookies from your domain to any domain if a XSS hole is found on your site. Huh? lol so you consider a XSS hole on your server to be a slight risk. I suggest you look into XSS.

I could transfer the cookies from your domain to any domain if a XSS hole is found on your site.

]]> By: Chris Shiflett http://www.thespanner.co.uk/2007/07/18/vulnerability-found-in-security-tool/#comment-254 Chris Shiflett Tue, 24 Jul 2007 16:07:01 +0000 http://www.thespanner.co.uk/2007/07/18/vulnerability-found-in-security-tool/#comment-254 Gareth, the risk that XSS presents is limited by what's available within a particular domain. (Look into the same-origin policy.) This is both why I mentioned the risk being slight and why I mentioned the risk being acceptable if the vulnerability were isolated to its own domain. Gareth, the risk that XSS presents is limited by what’s available within a particular domain. (Look into the same-origin policy.) This is both why I mentioned the risk being slight and why I mentioned the risk being acceptable if the vulnerability were isolated to its own domain.

]]> By: Gareth Heyes http://www.thespanner.co.uk/2007/07/18/vulnerability-found-in-security-tool/#comment-233 Gareth Heyes Sun, 22 Jul 2007 10:41:28 +0000 http://www.thespanner.co.uk/2007/07/18/vulnerability-found-in-security-tool/#comment-233 Chris the risk wasn't slight, your tool contained a XSS hole that could be exploited. Imagine a attacker who uses your tool then creates a tinyurl of it and then posts an interesting comment with a link to the tinyurl. The attacker could gain the cookies of the user or yourself. Chris the risk wasn’t slight, your tool contained a XSS hole that could be exploited.

Imagine a attacker who uses your tool then creates a tinyurl of it and then posts an interesting comment with a link to the tinyurl. The attacker could gain the cookies of the user or yourself.

]]> By: Chris Shiflett http://www.thespanner.co.uk/2007/07/18/vulnerability-found-in-security-tool/#comment-232 Chris Shiflett Sat, 21 Jul 2007 23:06:48 +0000 http://www.thespanner.co.uk/2007/07/18/vulnerability-found-in-security-tool/#comment-232 I'd prefer to allow everything, but I don't want to expose my readers to any risk, however slight. I could always isolate it to its own domain or something, and maybe that would be a good thing to do at some point. It would be nice to explore the opportunities that other schemes present. I’d prefer to allow everything, but I don’t want to expose my readers to any risk, however slight.

I could always isolate it to its own domain or something, and maybe that would be a good thing to do at some point. It would be nice to explore the opportunities that other schemes present.

]]> By: Gareth Heyes http://www.thespanner.co.uk/2007/07/18/vulnerability-found-in-security-tool/#comment-227 Gareth Heyes Wed, 18 Jul 2007 21:50:56 +0000 http://www.thespanner.co.uk/2007/07/18/vulnerability-found-in-security-tool/#comment-227 Maybe so but it did allow anything, including Javascript: Glad you fixed it :) Maybe so but it did allow anything, including Javascript:

Glad you fixed it :)

]]> By: Chris Shiflett http://www.thespanner.co.uk/2007/07/18/vulnerability-found-in-security-tool/#comment-224 Chris Shiflett Wed, 18 Jul 2007 17:31:22 +0000 http://www.thespanner.co.uk/2007/07/18/vulnerability-found-in-security-tool/#comment-224 The tool has never been disabled; only the http and https schemes can be used for the target URL. The tool has never been disabled; only the http and https schemes can be used for the target URL.

]]> By: Gareth Heyes http://www.thespanner.co.uk/2007/07/18/vulnerability-found-in-security-tool/#comment-223 Gareth Heyes Wed, 18 Jul 2007 15:44:04 +0000 http://www.thespanner.co.uk/2007/07/18/vulnerability-found-in-security-tool/#comment-223 The tool has been disabled now. So the exploit will no longer work. The tool has been disabled now. So the exploit will no longer work.

]]>