[WEB SECURITY] Re: [Webappsec] Tacking A Difficult Problem - Solutions

[Amit Klein <aksecurity@xxxxxxxxx>]

Arian J. Evans wrote:
>     4.  I don't feel that HTTP Response Splitting is a serious issue. 
>     Nor do I feel that non-persistent Cross Site Scripting is a
>     serious security issue.  These issues are both being over-hyped by
>     the security vendors but are very seldom exploited in the real
>     world.  The issues are easy for automated scanners to detect, and
>     by over-hyping these issues the security vendors make their
>     products and services seem like they are providing more value than
>     they really are.  Sure it is possible to do a browser zombie
>     through XSS, but does it ever really happen in the real world? 
>     Fancy demos do not equal serious security issues. 
>
>
> Agreed on HTTP RS. XSS, well, that seems to be tipping. End of 2004 
> saw some very sophisticated attacks, starting with Suntrust Bank. Not 
> sure how wide spread they are, and if anyone actually uses a man in 
> the middle proxy. I distinctly remember someone telling me somewhere 
> around 1995 that heap overflows were "non-remotely exploitable" and 
> that exploits were never going to be written in 1-packet payload 
> <insert:sql_slammer_worm>. These are exploitable and could tip hard, 
> very quickly, but I think you are correct they this isn't the case yet.

But XSS is one of the outcomes of HTTP R.S. - So if you think XSS is a 
problem (or may become one), so should be HTTP R.S.

-Amit

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]