Re: [WEB SECURITY] Severity Rating of Cross Site Scripting

["Irene Abezgauz" <irene.abezgauz@xxxxxxxxx>]

------=_Part_32648_1657035.1159360044296
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

>
> as usual, there's no simple answer or single answer as applications are
> unique, business functions differ and there are certain conditions in which
> the severity could be relatively low(i can think of several such cases).


however, I usually (and I emphasize the usually, usually as in - "in most
cases but far from being always") classify XSS as high, while Script
Injection (persistent xss) is classified as very high or critical. the
reason for this differentiation between persistent and reflected is the fact
that in the persistent XSS attack the user is very passive. unlike reflected
xss, here there is no following links of suspicious origin or other things
that can be referred to as "user fault". the user is completely passive in
the process.

the way I see it, xss, especially persistent xss, is definitely a very
severe vulnerability that should be viewed and treated appropriately. one of
the major points that most people are still not aware of is the exploitation
vectors which are so much more than "cookie theft".
getting people to realize the true severity and impact of xss is still a
process. just a few days ago I found myself explaining to a customer how
come i think persistent xss is "one of the major findings in the
application" right up there with "truly evil stuff" like the sql
injection which I have found in that same application and allowed me to
retrieve the entire database. Another issue when showing such findings to
customers is the fact it's quite difficult to SHOW the customer the possible
outcomes of XSS, which makes it harder to explain why it's so severe.

Severity classification of vulnerabilities found in an application depends a
lot on the business function of the application, the location of the
vulnerability, and the exploitation possibilities. there is never an answer
like "xss is low severity, sql injection is high severity" cause i've seen
applications where sql injection matters nothing, as well as applications
where persistent xss hit the very center of the application business
function allowing attackers access to very sensitive business information
they would not have gained otherwise.

bottom line? I usually classify XSS as high to critical, depending on the
application and the attack type.

Irene



Irene Abezgauz
Application Security Consultant
Hacktics Ltd.

------=_Part_32648_1657035.1159360044296
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

<div>
<div>
<blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">as usual, there's no simple answer or single answer as applications are unique, business functions differ and there are certain conditions in which the severity could be relatively low(i can think of several such cases).
</blockquote></div>
<div>&nbsp;</div>
<div>however, I usually (and I emphasize the usually, usually as in - &quot;in most cases but far from being always&quot;) classify XSS as high, while Script Injection (persistent xss)&nbsp;is classified as very high or critical. the reason for this differentiation between persistent and reflected is the fact that in the persistent XSS attack the user is very passive. unlike reflected xss, here there is no following links of suspicious origin or other things that can be referred to as &quot;user fault&quot;. the user is completely passive in the process.
</div>
<div>&nbsp;</div>
<div>the way I see it, xss, especially persistent xss, is definitely a very severe vulnerability that should be viewed and treated appropriately. one of the major points that most people are still not aware of is the exploitation vectors which are so much more than &quot;cookie theft&quot;. 
</div>
<div>getting people to realize the true severity and impact of xss is still a process. just a few days ago I found myself explaining to a customer how come i think persistent xss is &quot;one of the major findings in the application&quot; right up there with &quot;truly evil stuff&quot; like the sql injection&nbsp;which I have&nbsp;found in that same application and allowed me to retrieve the entire database.&nbsp;Another issue when showing such findings to customers is&nbsp;the fact it's quite difficult to&nbsp;SHOW the customer the&nbsp;possible outcomes of XSS, which makes it harder to explain why it's so severe. 
</div>
<div><br>Severity classification of vulnerabilities found in an application depends a lot on the business function of the application, the location of the vulnerability, and&nbsp;the exploitation possibilities. there is never an answer like &quot;xss is low severity, sql injection is high severity&quot; cause i've seen applications where sql injection matters nothing, as well as applications where persistent xss hit the very center of the application business function allowing attackers access to very sensitive business information they would not have gained otherwise. 
</div>
<div>&nbsp;</div>
<div>bottom line? I usually classify XSS as high to critical, depending on the application and the attack type. </div>
<div>&nbsp;</div>
<div>Irene</div>
<div>&nbsp;</div>
<div>&nbsp;</div>
<div>&nbsp;</div>
<div>Irene Abezgauz</div>
<div>Application Security Consultant</div>
<div>Hacktics Ltd.</div></div>

------=_Part_32648_1657035.1159360044296--