To XSS or not?

okay, so we all like to diss on cross-site scripting vulnerabilities. they are indeed vulnerabilities, but there are so many of them that they have become tiresome, to say the least.

today, a serious cookie-stealing xss in paypal was reported. automatically it was put down. i will try and address why xss vulnerabilities are critical, and yet how they clog our security information channels, and thus our ability to do our jobs.

honestly? kiddies reporting xss vulns in flying colours of a remote code execution is annoying to me, but again, these are still vulnerabilities. they deserve being reported.

i personally believe reporting them one by one to the world is important. they can cause, for example, if used on a news/commerce web site, significant losses from phishing or perhaps cause a massive scare, by a carefully crafted fake news message.
if, as another example, the xss is in some publicly distributed php application, that indeed has relevance to the rest of the world. no matter how annoying the volumes of these may be.

more importantly, some xss vulnerabilities can be used for stealing cookies and sessions, taking over an inbox or a purchasing account, depending on what service the web site offers
(as seen before on.. lycos? hotmail? paypal?).

xss vulnerabilities should not be looked down-at. yet…..

all that said, acknowledging xss for being a real vulnerability does not mean every xss is “worth reporting” or even reading. meaning: kiddies, for crying out loud, stop reporting every xss client-side content manipulation you find in every second-rate online dating service. it has become comparable to reporting every spam message you get.

philosophically, “full disclosure all the way, baby!”. in practicality, who doesn’t look down at xss vulnerabilities these days? they have become the trait of kiddies.
how about reporting them, but in batches as some researchers have shown they can do, recently? the impact is larger and they still go public.

maybe if the volume of reports was lower and more digestible, and the importance/critically measurement were sane, the serious xss vulnerabilities would be indeed taken as serious, with the respect they deserve.

as long as every 2-bit xss is being reported in a near-flood of useless email messages, in most cases they won’t be taken very seriously.

every web site out there likely has an xss or 10. this is not scalable for the regular security vulnerabilities information channels the way things go now. report the “less important ones”, but do so in digest mode, m’kay?

a few years ago we used to joke about auto-generating php vulnerability reports and send them to bugtraq. who would be able to tell the difference? today, in my opinion, it’s become a joke.

the paypal vulnerability reported today as found by securitylab.ru is critical, as it allows stealing the cookie. all credit naturally belongs to them, good work guys.

to make a point though, after this was published, a friend of mine looked back to an xss he found in passing 2 years ago, and reported to paypal. obviously, it is still there and haven’t been acted on.

this does not take from their finding, the credit is theirs, but perhaps if full disclosure was applied 2 years ago (as paypal didn’t do much about it), others who very likely found this vulnerability since would not have been able to exploit paypal users.

if it was, would it have gotten much attention? did it today when it was released in full disclosure?

this is what full disclosure was created for.

enough with silly xxs vulnerabilities, people. let’s be able to distinguish what’s important and report it accordingly. then give the due respect to everything else and still report it, but in a digestible form.

again, what’s not-so-important can still (and should still) be reported, but please, stop clogging our lines of communication!

gadi evron,
ge@beyondsecurity.com.

Share