Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: [Full-disclosure] Re: [WEB SECURITY] Cross Site Scripting in Google

from [PPowenski] Network Security [Permanent Link]
Subject: RE: [Full-disclosure] Re: [WEB SECURITY] Cross Site Scripting in Google
Date: Tue, 11 Jul 2006 14:30:25 +0100 
As long as there are NO RULES i.e. standards which companies MUST adhere
to in order to ensure an application is built for suitability for
purpose and a basic set of security principles the current state of
software development will continue. 
There will be those large software vendors which will bend to pressure
from large corporations but without a LEGAL framework the huge numbers
of small to middle size applications vendors who would prefer smoke and
mirrors will continue with that theme since it is zero cost.




-----Original Message-----
From: tcp fin [mailto:inet_inaddr@yahoo.com] 
Sent: 11 July 2006 05:30
To: Martin O'Neal; drfrancky@securax.org; RSnake
Cc: bugtraq@cgisecurity.net; full-disclosure@lists.grok.org.uk;
bugtraq@securityfocus.com; webappsec@securityfocus.com;
websecurity@webappsec.org
Subject: RE: [Full-disclosure] Re: [WEB SECURITY] Cross Site Scripting
in Google


Hey Martin , 
I agree with u partly but there are vendors out there
in the market who has Dont know DOnt care attitude. If
thats the case after idetifying and exploiting the vulnerability in the
same vendor product , I personally would not like to waste my and your
time with vendor who did not give us fav response before. 
I would refrain from taking names but I have seen that happening in the
past and still some of those vul are existing in those products. However
no one can deny Full Disclosure with responsibility the responsible
Disclosure !!! Regards, 
TCP-FIN


--- Martin O'Neal <martin.oneal@corsaire.com> wrote:




my opinion is that full disclosure is not for

vendors ..

it's for users. full disclosure is for us to know

how to

react on certain threads.


Which is just fine if you are technically competent
to understand the
threat, and there is also a valid mitigating
strategy you can employ
immediately.  For the vast majority of situations
though, this just
isn't the case.  The users are not technically
competent enough to
understand the true threat posed by an entry on a
news group (which are
generally hopelessly incomplete and/or factually
inaccurate) and then
this is coupled with a vulnerable product that may
be essential,
difficult to protect, and a stable official fix that
may be weeks or
months away from delivery.

I personally also believe in full disclosure, but it
has to be delivered
in a responsible fashion.  Dispatching
vulnerabilities to a public list
without even attempting to contact the vendor is
clearly not in the best
interest of the vendors nor the great majority of
the user base.

Martin...





----------------------------------------------------------------------

CONFIDENTIALITY:  This e-mail and any files
transmitted with it are
confidential and intended solely for the use of the
recipient(s) only.
Any review, retransmission, dissemination or other
use of, or taking
any action in reliance upon this information by
persons or entities
other than the intended recipient(s) is prohibited.
If you have
received this e-mail in error please notify the
sender immediately
and destroy the material whether stored on a
computer or otherwise.


----------------------------------------------------------------------

DISCLAIMER:  Any views or opinions presented within
this e-mail are
solely those of the author and do not necessarily
represent those
of Corsaire Limited, unless otherwise specifically
stated.


----------------------------------------------------------------------

Corsaire Limited, 3 Tannery House, Tannery Lane,
Send, Surrey, GU23 7EF
Telephone: +44(0)1483-226000
Email:info@corsaire.com




------------------------------------------------------------------------
-

Sponsored by: Watchfire

Securing a web application goes far beyond testing
the application using
manual processes, or by using automated systems and
tools. Watchfire's
"Web Application Security: Automated Scanning or
Manual Penetration
Testing?" whitepaper examines a few vulnerability
detection methods -
specifically comparing and contrasting manual
penetration testing with
automated scanning tools. Download it today!



https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008Vmm



------------------------------------------------------------------------
--






__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

------------------------------------------------------------------------
-
Sponsored by: Watchfire

Cross-Site Scripting (XSS) is one of the most common application-level 
attacks that hackers use to sneak into web applications today. This 
whitepaper will discuss how traditional CSS attacks are performed, how
to 
secure your site against these attacks and check if your site is
protected. 
Cross-Site Scripting Explained - Download this whitepaper today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008Vmr
------------------------------------------------------------------------
--
This e-mail is intended for the named recipient(s).  It and any attachments may 
contain privileged and/or confidential information. They may not be disclosed 
to or used by or copied in any way by anyone other than the intended recipient. 
 If you are not one of the intended recipients, or this email is received in 
error, please immediately either notify the sender or contact OAG Worldwide 
Limited on +44 (0) 1582 600111 quoting the name of the sender and the email 
address to which it has been sent and then delete it and any attachment(s). 
While all reasonable efforts are made to safeguard inbound and outbound 
e-mails, OAG Worldwide Limited and its affiliate companies cannot guarantee 
that attachments do not contain any viruses or are compatible with your 
systems, and does not accept liability in respect of viruses or computer 
problems experienced. Neither OAG Worldwide Limited nor the sender accepts any 
responsibility for viruses and it is your responsibility to scan or otherwise 
check this email and any attachments.  
OAG Worldwide Limited may monitor or record outgoing and incoming e-mail to 
secure effective system operation and for other lawful purposes.  By replying 
to this email you give your consent to such monitoring. 
Thank you.
OAG Worldwide Limited is a company registered in England and Wales (registered 
number 4226716), with its registered office at Church Street, Dunstable, 
Bedfordshire, LU5 4HB, United Kingdom.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Intrusion Detection, Daniel Cid
Next by Date:  Oracle SQL Injection, Mark Keegan
Previous by Thread:  RE: [Full-disclosure] Re: [WEB SECURITY] Cross Site Scripting in Google, Martin O'Neal
Next by Thread:  DMZ and critical data, Pedro Henrique Morsch Mazzoni
Indexes:  [Date] [Thread] [Top] [All Lists]