XSS VS BoF

Except all those troll game playing around Full-Disclosure mailing list, there’s still some interesting discussion related to security. One of them just showed lately regarding discussion between PDP(architect) and reepex about ‘XSS and it’s technical merit’. It’s been already knew that most of people think XSS just a lamme bugs, most of published exploit related to XSS limited to cookie staling, phising, etc using injected code against web application. And the other interesting part, lot of people who used to deal with buffer overflow exploitation thought XSS is useless and it’s only for dummies who can’t find and produce any Buffer Overflow exploit against system application.

IMHO, PDP’s way to explain about XSS in the lists is very interesting. Let’s not to look it from comparison part between Buffer Overflow and XSS, but let’s see about any other thing which come with it. Just like PDP said on the lists, today we can see everywhere use ‘A’ x 10000 in a common way to find buffer overflow bugs, but let’s remember these technique 10-15 years ago when buffer overflow still a difficult bugs to imagine and to be exploited, but it’s easy to find the vector and crashed the software. And few years later, technique to find this vulnerable increase and we can see lot of people trying every part of software which read input (user input, env variable, etc) and test it against buffer overflow plus produce exploit to use that vector of getting machine execution. Not much people realize about it at the first time while lot of application vulnerable to this kind of attack, and we all knew at that time system application not as we found it today.

Today, system related technology are getting well. Lot of application and system have capability to prevent Buffer Overflow to be executed, lot of technique found to prevent the bugs, and it’s difficult to deal with this kind of bugs since the system are getting mature after 15 years, and also lot of system protected with two or more layers which make buffer overflow getting hard to be implemented. But I don’t think we can use that reason to say XSS and other web bugs are lamme. Trend are moving now, technology also move from basic system into web technology. We can imagine that web is a platform just like the operating system and more and more people involved on this technology, social bookmark, company, social life are getting tied in web technology. So bugs related to this is getting harmfull since lot of people and part will be affected, not exception with XSS. And also, PDP has proved that we can just walk and scan internal network which is protected by firewall using XSS bugs.

Another interesting part about this discussion are XSS (in deep harm impact) more difficult to research against application since it relate to live online system where everything we can see is only POST/GET request. You cannot just get the binary and use debugger offline to find it’s vulnerability, and it’s a challange for now to develop application for this purpose, as we can use IDA Pro, ollydbg, or gdb to get picture about how application work.

XSS is largely complicated type of attack. It is very hard to pull and
requires a lot of technical knowledge. It is easy to find useless XSS
vectors but exploiting them is an art very few can practice at the
moment. The beauty of buffer overflow exploits is in their sharpness.
The beauty of XSS is in the imagination of the attacker and the level
of tangled complexity you have to deal with.

I like the last part of his statement. Yes, BoF are sharp but XSS need more imagination from us to exploit them in an art way using the existing vector.