Brian Chess on how XSS is not overrated:
If anything, I think the attackers just haven't yet explored much of what's available to them. If a bad guy gets to run javascript on your box, he can make HTTP requests to anything on your intranet. Have a web console for your firewall? That XSS hole could allow him to bring the shields down.
It is a large hole alright, the thing is that there are many attack payload areas that have not yet been explored, Amit Klein touched on a few of them. Of course you have some of the same vectors in traditional, non-Ajax web apps that use Javascript, but web apps don't have to use Javascript, do they? Also, because it is an active application, Ajax makes XSS-enabled attacks able to act like a virus as Billy Hoffman pointed out at his Blackhat talk. Fast, distributed, iterative attacking. Great. At least the maps look nice.
My assumption is that the end game is that the users will eventually figure out to ask for some assurance around the payload and connectivity of ajax apps, but javascript and vbscript are not positioned to deliver these assurances today.
Update: looks like the Fortifiers have a new blog.
Comments