Slashdot Mirror

← Back to Stories (view on slashdot.org)

XSS Vulnerabilities Reviewed and Re-Classified

Posted by ryuzaki0 on from the breaking-and-entering dept.

An anonymous reader writes "Security Analysts at NeoSmart Technologies have revisited the now-famous XSS-type security vulnerabilities and attempted to re-classify their status as a security vulnerability. The argument is that XSS vulnerabilities are not a mark of bad or insecure code but rather a nasty but unavoidable risk that's a part of JavaScript - and that even then, XSS 'vulnerable' sites are no less dangerous or vulnerable at heart." Are they unavoidable, or just a symptom of lazy coding, or both?

5 of 142 comments (clear)

  1. Well by twalicek · · Score: 5, Funny

    Samy is still my hero.

  2. Not me! by fuzzyfozzie · · Score: 2, Funny

    I use VBScript, so I guess I'm safe.

  3. "XSS is another one of those buzzwords by damburger · · Score: 4, Funny

    ...we prefer to call it an 'unrequested Javascript surplus'"

    But that isn't the best bit:

    "Sites with XSS "vulnerabilities" aren't insecure. They're absoloutely no different than any other site - except that a user can manipulate the way content displays on an "insecure" page"

    Thats like saying 'Pearl Harbour wasn't "vunerable". It was absolutely no different than any other naval base - except that the Japanese could drop bombs on it'

    --
    If we can put a man on the moon, why can't we shoot people for Apollo-related non-sequiturs?
  4. I like JavaScript! by supersnail · · Score: 2, Funny

    Much of the article seems to be a diatribe against JavaScript more properly called ECMA script.
    I was always prejudiced against JavaScript but a couple of years ago I was stuck with a problem which could only be done in JavaScript (The selections in the second emnu depended on you choice in the first menu, all other checkboxes and menus depended on the second menu selection) or with about 50 static pages.
    I actually came to like it its actually a very clean and consistent programing language albeit with very few builtin features. After a couple of days the only times I ever felt the need to RTFM was for the exact names of the various bits of the web browsers DOM structure.

    How anyone could recomend VB over javascript is beyond me, and, I note no one has suggested the return of the Java Applet!

    As for buggy, well there are javascripts with bugs in but there are very, very few bugs in the ECMAscript implementations I have dealt with.

    --
    Old COBOL programmers never die. They just code in C.
  5. Re:another TLA starting with X? by menace3society · · Score: 2, Funny

    Why not--Homer was the first to write extensively about Ajax!