I have several unfixed XSSes on my page which I have repeatedly warned the owners of the domains about, but they either leave the holes open or plainly, I assume, do not know how to patch vulnerabilities.

Phishing attacks remain the most dangerous, in my opinion, due to the possible payloads.

I report all XSS vulnerabilities I find to XSSed, and I contact the owners of the sites when I have the time and believe that they will care. For example when I find a XSS in Google I know that they will thank me for my help and patch it as soon as possible, but on smaller sites like personal home pages webmasters seldom even respond to my emails.

I think of this as a ‘white-hat sport’, if you can call it that. I can help people to increase their online security, but I also get points on XSSed proving that I do so. It may sound childish to collect points, but it sure works to keep me motivated ;)

Currently I have the highest amount of fixed XSS vulnerabilities of all XSSed submitters, and I’ll try to keep it that way as long as the site stays online.

// Uber0n

D

Guess what Renko Karman… I am now going to give a very very big answer! You stimulated my ego you see – YOUR perception of my ego since you know me from yesterday! :P Ego for you means smilies and long replies(excuses as you called mine). You have a very wrong way of perceivings things in general. You have a very wrong way of approaching people too with your poor “lil” criticism, and of communicating with people. If you want please tell me the truth, are you self-taught in IRONIC criticism with no positive context?

As an egoist, I honestly believe that I owe you a better explanation… I did not defend against any accussation. I did not come here to defend the pride of XSSed or any pride. Based on pdp’s scenario, me and Kevin came here to discuss with him and the readers possible ways to prevent it from occuring now and in the future (with more sites indexed in our db). We came also to consider opinions for improving our service. [read old news on our site]
All the discussions were polite, visitors of this blog post exchanged information (opinions and ideas), until you visited here and started throwing your cosmetic adjectives to me: “and to me, your excuse certainly sounds cheap, so maybe you really are?” etc [refer]

We took the initiative to create something for the webappsec community and with the scope of increasing security on the web. This service is up since February 2007. There is currently one “flaw” in its design. What is currently missing is a sophisticated early warning mailing list subscription feature. This feature is currenty being developed. Alternatively there are other methods of notifying webmasters for their XSS vulnerable sites: e-mail, our SEOed mirrors (check with “yoursite.com xss”).

They care about their webappsec? XSS is webappvuln? XSSed deals with XSS? Surely they’ll find us and manually monitor us for their websites. Until the early warning feature is completely coded, we are not going to publish major mirrors without making sure that submitters contacted them. Otherwise we contact them.

Obviously you have misunderstood my comments as excuses from your very first post and did not do your homework. It was this misunderstanding that made you think you are smart enough to sum up my “statement” in one sentence: “you are not obligated to warn anyone.” I never said anything like that my friend Renko Karman. Can you please clarify where your summing up is based? Show me your understanding for once!

You may have a different point of view about something, but you must know that a point of view is always based on your awareness of all or some aspects of that something. In case you did not get it, your point of view was based on incomplete knowledge. Incomplete knowledge usually comes from wrong understanding. Wrong understanding comes because you are dumb – generally speaking, no offense Renko!.

As for the things you never said, it was my mistake to believe that you are quite good at receiving jokes and irony – judging of course from all your offensive type of comments. Treat for treat!

I hope that you understand better now… Cos an answer that long ain’t bullshittin! Aiight? :P <– ego smiley,feeling of defeat. :P

PS1: I wanted to know your name because I like to know with whom I am discussing with… ;) You see… I am part of the “Security Paranoia, keeping us clothed and fed since init().” generation.

PS2: Anything that you might find offensive in this post, I would ask you please to cross it out of your mind. Thanks.

My Best Regards and Wishes for your digital life,

D

Your ego is way to big to be supported by your weak words. anyway…

first of all, my mom and dad called me renko, thats why my friends call me that too now… i dunno what you are getting at with the “use your real name”. i guess you needed some stick to beat me with or something and the name was the best you could find? anyway lets say my name is renko karman (happy now?). hope you see how silly your accusation is about me being afraid to use it in full. you want my email addy too? it’s rkarman@hotmail.com …. (yes of course it’s a spam addy silly… and i didn’t use my real addy since i am AFRAID … of spam …)

second, i never said you phisically hurt animals or humans. i did say you hurt people, by helping kiddies and criminals to steal “personal” info and corrupt computer systems.

then let me also sum up your point of view: “you are not obligated to warn anyone.” it’s your whole statement summed up in 1 sentence and guess what… your statement is also lacking politeness, informative content and good points… bravo!!!

anyway i see you are too happy being you and too dumb to look for something positive in a lil criticism. i guess you are going to give a big answer now, but it won’t help anymore since in your first awnser you already choose what i am to you instead of trying to see how it was possible that i saw things different. but then again, there is also a need for narrow minded people in this world right?

Anyway, if you have anything more specific to add (relating to this post by pdp and the comments), add it and don’t waste my time with your history lessons. Otherwise don’t just post because you want to have the final word.

D

As you commented, I am not upholding that I seriously believe all of the XSS vulnerabilities were reported to “the site owners” by the people who report them to us. The individual who spotted and submitted to us the XSS flaw, has the ethical option to contact the webmasters in order to let them know about the issue, or even better help them to resolve it. We strongly support that option but cannot force it – just advise. The webmasters of the affected sites can now use the RSS feeds – xssed.com/rss – and the early warning mailing list subscription feature if they want to be instantly notified and thus mitigate possible associated risks in a short time span – of course how quickly they mitigate risks depends on their level of professionalism, customer service, lazyness and other important factors.

Mirroring significantly helps the webmasters and web communities to be notified faster.

We personally believe that your comment is mad. I am convinced that you did not carefully read all the above comments and just falsely filtered out what YOU considered to be the “juice” of this subject matter. Obviously there is a very high possibility that you either fall victim of XSS exploitation and you’re indexed in XSSed, or you’re just jealous that we are making “bucks”. If you are nothing of the above, then you are just a cyber commie… Highly possible as well, since you are now reading this on GNUcitizen.org – no offence pdp, you kewl. ;-)

Nevertheless thank you for giving me once more the opportunity to express my “cheap excuses” – :P – to people like you with an attitude of an accuser – chipmunk!

PS1: I am cheap and we are “unwittingly” hurting people and making the world a worse place – this is almost your whole comment summed up in one line. Now how cheap is this… Lacks of politeness, informative content and good points which influence irony-free web security related discussions – the type of discussions you are not used to.

PS2: We did not hurt any people or animals.

PS3: I hope you received the answer you deserve.

PS4: Next time put your real name… Nothing to be afraid of…

PS5: January of 2015 :)

Best Regards

I think you are very lenient on yourself… just claiming the easy way out that you are not responsible for warning the affected site. You are also not responsible of providing a place where kiddies can show of their skill in finding XSS vulnerabilities, right? Yet you are all too happy to provide that service. so as that service significantly increases the risk of people being hurt (even though that was never your intention and it might not go away when you stop your service) you should feel responsible for everything you CAN (not must) do… You can help the world to be a better place, just like you unwittingly help make the world a worse place. It certainly is your responsibility to uphold your intentions of helping. Do as much good as possible, help limiting as much bad that result from it…

Or are you seriously going to uphold that you seriously believe all of the XSS vulnerabilities were reported to “the site owners” by the people who report them to you? They help you make a buck on the vulnerabilities, not warning makes you susceptible to conflict of interest…. and to me, your excuse certainly sounds cheap, so maybe you really are? …

Already most of the *.yahoo.com XSS vulnerabilities are fixed. Of course we are willing to assist the webmasters with fixing the vulnerabilities – for free. :-) This is what the XSS submitters should do!

I agree that we “show off” our skills in indexing and listing affected websites with the most traffic on the web. However, this is not the only thing we “show off”, but also the skills of the XSS discoverers/submitters. Maybe some of them feel uber proud knowing their nick is listed in that list. Good for them. =)

Google’s mission is to organise the very large amount of information available on the web.
We actively take part in that mission by organising information relating to XSS vulnerabilities for the major search engines.

What if someone uses the publicized XSS vulnerability information for malicious purposes?
Well, since the XSS vulnerability details are public, there is little or no excuse for not being able to fix them in a timely manner. Conscious and concerned web companies, their webmasters and web security people, must be looking on the web every minute or second for public security vulnerabilities affecting them.

It is up to the discoverer’s ethical attitudes whether or not to contact the webmasters for flaws.

As I am typing, Kevin is adding a feature to check which websites in the list have fixed the XSS vuln affecting them.

Can you please clarify what most real security websites do? I think they publish vulnerabilities which are either patched or unpatched… Same kind of thing pretty much, no?

Regards

But what you are doing there is exposing other vulnerabilities, something that gentleman don’t do. If you want to do it, at least don’t expose them by “popularity”. That clearly shows that your intentions are not only “to help” but maybe to show off…

Why exposing the “good guys” with such detail? You can simply do as most real security webSites do. Why do you think they behave that way?

Carl.

Believe me, I see where you are going and I know and understand your point of view. However, legally speaking, it is an offence. Consult with a lawyer and you will see. I am sure that no action will be taken against XSSED.com right now though, but as I said things will get a lot worse in the future. Keep that in mind.

One last thing; XSS vulnerabilities are just like SQL Injection vulnerabilities and they should be treated with the same respect. Just because XSS affects the client, it doesn’t mean that they are less dangerous. As I mentioned before:

I agree that indexing SQL injections would be illegal, it would be completly stupid. But indexing XSS is another thing, they do not “attack” the server, but the end users for most of the time. I also don’t think that they can sue us, because there are good ways to defend: for example, the fact that it is legitimate to warn everybody when a danger is “know”. To say the truth, i got this idea to create xssed when one of the zone-h members got his mailbox hacked because of a stupid XSS hole in a Microsoft web site (this was in december 2006), if that hole became public, Microsoft would have fixed it faster, or that user would have behaved more carefully. I believe this was more the fault of Microsoft than his fault, and i believe archiving and publishing is the only way to fight against XSS, i am sure that it will greatly improve our security.

thanks for the complete response

What is your point of view about full public disclosure of XSS vulnerabilities? What do think about my point of view?

Personally, I don’t think that it is correct to disclose vulnerabilities in public websites. The right think to do when you find a XSS or SQL Injection flaw on a public website is to contact the webmaster and in general the people who are responsible for the site maintenance. The situation is a bit different when it comes to software and in general applications, which can be installed on your computer and tested in designed for that purpose testing environments. Again, you should contact the vendor when you discover a vulnerability. In number of cases, depending totally on the situation, you may go and release the issue right away. I’ve done that in the past on a number of cases. However, I have also disclosed vulnerabilities in a responsible way as well.

In respect to XSSED.com, I do not think that you guys are disclosing any vulnerabilities but simple listing, indexing and organizing whatever is already public. According to the British Computer Misuse Act you are breaking the law, though. That of course does not apply to you, however, the point is that you have to be careful with these things because the legal system will get tougher in the future when it comes to IT crimes.