[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [WEB SECURITY] Severity Rating of Cross Site Scripting

From: "Ryan Barnett" <rcbarnett@xxxxxxxxx>
Subject: Re: [WEB SECURITY] Severity Rating of Cross Site Scripting
Date: Tue, 26 Sep 2006 17:25:13 -0400
------=_Part_22410_13167212.1159305913970
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Severity is tricky because it depends on who you are reporting the severity
to.  Many organizations don't really care about XSS because they are
targeting end users and not the web application itself.  If an XSS flaw
allows someone to send an attack to steal someone's session/credential data
on a user-board, what is the severity?  Probably would be LOW from the
website's perspective but maybe HIGH from the user's point of view.  Now, if
the webapp is a banking app instead of a user forum, then we have a whole
new ballgame.  Once money is involved (e-commerce/banking, etc...) I think
that they should all be HIGH.

So, I guess that it is difficult rate the severity in general but should be
based on the functionality of the webapp itself.

-- 
Ryan C. Barnett
Web Application Security Consortium (WASC) Member
CIS Apache Benchmark Project Lead
SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC
Author: Preventing Web Attacks with Apache


On 9/26/06, Jeremiah Grossman <jeremiah@whitehatsec.com> wrote:
>
> Cross Site Scripting (XSS) has really come into its own during the
> past 6 months. XSS now tops Mitre's CVE [1] and the WHID [2], not to
> mention all the media coverage during the last week. We've come to
> understand how incredibly severe XSS attacks can be considering
> Intranet Hacking [3] and Web Worms [4]. Typical cookie theft seems
> harmless by comparison. As a result, one of the questions that has
> resurfaced is severity rating.
>
> In previous years, most vulnerability assessment reports I've read
> understandably assign XSS vulnerabilities as "Medium". The same is
> true at WhiteHat Security. We rate non-persistent as "Medium",
> persistent as "High", with the vast majority being non-persistent.
> Today what's happening is the potential business impact of XSS has
> grown much greater and the threat differential between non-persistent
> and persistent is diminishing. For vulnerability reporting purposes
> we're compelled to increase the severity rating of almost all XSS
> issues to "High". This would seem to make more sense based on what we
> now know.
>
> What I'm interested to know how others in the industry view XSS in
> terms of severity rating. Are there plans to increased reported
> severity?
>
>
> Regards,
>
> Jeremiah Grossman
> Chief Technology Officer
> WhiteHat Security, Inc.
> http://www.whitehatsec.com/
>
>
> [1] Vulnerability Type Distribution in CVE
> http://www.attrition.org/pipermail/vim/2006-September/001032.html
>
> [2] Web Hacking Incidents Database
> http://www.webappsec.org/projects/whid/
>
> [3] Hacking Intranet Websites from the Outside
> "JavaScript malware just got a lot more dangerous"
> http://jeremiahgrossman.blogspot.com/2006/08/home-from-blackhat-and-
> defcon.html
>
> [4] Teen uses worm to boost ratings on MySpace.com
> http://www.computerworld.com/securitytopics/security/holes/story/
> 0,10801,105484,00.html
>
>
>
> ----------------------------------------------------------------------------
> The Web Security Mailing List:
> http://www.webappsec.org/lists/websecurity/
>
> The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/archive/
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
>

------=_Part_22410_13167212.1159305913970
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

<div>Severity is tricky because it depends on who you are reporting the severity to.&nbsp; Many organizations don't really care about XSS because they are targeting end users and not the web application itself.&nbsp; If an XSS flaw allows someone to send an attack to steal someone's session/credential data on a user-board, what is the severity?&nbsp; Probably would be LOW from the website's perspective but maybe HIGH from the user's point of view.&nbsp; Now, if the webapp is a banking app instead of a user forum, then we have a whole new ballgame.&nbsp; Once money is involved (e-commerce/banking, etc...) I think that they should all be HIGH.&nbsp; 
</div>
<div>&nbsp;</div>
<div>So, I guess that it is difficult rate the severity in general but should be based on the functionality of the webapp itself.</div>
<div>&nbsp;</div>
<div>-- <br>Ryan C. Barnett<br>Web Application Security Consortium (WASC) Member<br>CIS Apache Benchmark Project Lead<br>SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC<br>Author: Preventing Web Attacks with Apache <br>
<br>&nbsp;</div>
<div><span class="gmail_quote">On 9/26/06, <b class="gmail_sendername">Jeremiah Grossman</b> &lt;<a onclick="return top.js.OpenExtLink(window,event,this)" href="mailto:jeremiah@whitehatsec.com"; target="_blank">jeremiah@whitehatsec.com
</a>&gt; wrote:</span> 
<blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">Cross Site Scripting (XSS) has really come into its own during the<br>past 6 months. XSS now tops Mitre's CVE [1] and the WHID [2], not to 
<br>mention all the media coverage during the last week. We've come to<br>understand how incredibly severe XSS attacks can be considering<br>Intranet Hacking [3] and Web Worms [4]. Typical cookie theft seems<br>harmless by comparison. As a result, one of the questions that has 
<br>resurfaced is severity rating.<br><br>In previous years, most vulnerability assessment reports I've read<br>understandably assign XSS vulnerabilities as &quot;Medium&quot;. The same is<br>true at WhiteHat Security. We rate non-persistent as &quot;Medium&quot;, 
<br>persistent as &quot;High&quot;, with the vast majority being non-persistent.<br>Today what's happening is the potential business impact of XSS has<br>grown much greater and the threat differential between non-persistent 
<br>and persistent is diminishing. For vulnerability reporting purposes<br>we're compelled to increase the severity rating of almost all XSS<br>issues to &quot;High&quot;. This would seem to make more sense based on what we 
<br>now know.<br><br>What I'm interested to know how others in the industry view XSS in<br>terms of severity rating. Are there plans to increased reported<br>severity?<br><br><br>Regards,<br><br>Jeremiah Grossman<br>Chief Technology Officer 
<br>WhiteHat Security, Inc.<br><a onclick="return top.js.OpenExtLink(window,event,this)" href="http://www.whitehatsec.com/"; target="_blank">http://www.whitehatsec.com/</a><br><br><br>[1] Vulnerability Type Distribution in CVE
<br><a onclick="return top.js.OpenExtLink(window,event,this)" href="http://www.attrition.org/pipermail/vim/2006-September/001032.html"; target="_blank">http://www.attrition.org/pipermail/vim/2006-September/001032.html</a><br>
<br>[2] Web Hacking Incidents Database<br><a onclick="return top.js.OpenExtLink(window,event,this)" href="http://www.webappsec.org/projects/whid/"; target="_blank">http://www.webappsec.org/projects/whid/</a><br><br>[3] Hacking Intranet Websites from the Outside 
<br>&quot;JavaScript malware just got a lot more dangerous&quot;<br><a onclick="return top.js.OpenExtLink(window,event,this)" href="http://jeremiahgrossman.blogspot.com/2006/08/home-from-blackhat-and-"; target="_blank">http://jeremiahgrossman.blogspot.com/2006/08/home-from-blackhat-and-
</a><br>defcon.html<br><br>[4] Teen uses worm to boost ratings on MySpace.com<br><a onclick="return top.js.OpenExtLink(window,event,this)" href="http://www.computerworld.com/securitytopics/security/holes/story/"; target="_blank">
http://www.computerworld.com/securitytopics/security/holes/story/</a><br>0,10801,105484,00.html<br><br><br>----------------------------------------------------------------------------<br>The Web Security Mailing List:<br>
<a onclick="return top.js.OpenExtLink(window,event,this)" href="http://www.webappsec.org/lists/websecurity/"; target="_blank">http://www.webappsec.org/lists/websecurity/ </a><br><br>The Web Security Mailing List Archives:<br>
<a onclick="return top.js.OpenExtLink(window,event,this)" href="http://www.webappsec.org/lists/websecurity/archive/"; target="_blank">http://www.webappsec.org/lists/websecurity/archive/</a><br><a onclick="return top.js.OpenExtLink(window,event,this)" href="http://www.webappsec.org/rss/websecurity.rss"; target="_blank">
http://www.webappsec.org/rss/websecurity.rss</a> [RSS Feed]<br><br></blockquote></div>

------=_Part_22410_13167212.1159305913970--
Follow-Ups:
- Re: [WEB SECURITY] Severity Rating of Cross Site Scripting
  - From: Jeremiah Grossman
References:
- [WEB SECURITY] Severity Rating of Cross Site Scripting
  - From: Jeremiah Grossman
Prev by Date: [WEB SECURITY] Severity Rating of Cross Site Scripting
Next by Date: Re: [WEB SECURITY] Severity Rating of Cross Site Scripting
Previous by thread: [WEB SECURITY] Severity Rating of Cross Site Scripting
Next by thread: Re: [WEB SECURITY] Severity Rating of Cross Site Scripting
Index(es):
- Date
- Thread
Brought to you by http://www.webappsec.org