>There was discussion last week in the Full-Disclosure about XSS >vulnerabilities in reply to XSS vulns in PayPal and Gadi Evron >suggested creation of a separate mailing list for just XSS >vulnerabilities. This is definitely a growing gap in our current knowledge. I don't think it's being tracked very well, although I thought Jeremiah Grossman started tracking the more serious issues. Vulnerability databases (CVE included) historically have NOT recorded site-specific XSS and other issues like sensitive data disclosure. The primary reason is that most vuln DBs are focused on issues in software that a system administrator would be directly responsible for. Software services, which is basically what you're talking about with PayPal, Google, and the like, are not under direct control of the sysadmin - plus, the vendor merely needs to flip a switch (i.e. patch the bug) and the problem is instantly fixed for all customers. The lines between "site-specific" and "distributable" software are becoming more blurry however, e.g. with hosted solutions. Another issue might arise with respect to disclosure, in that if you publish a site-specific security issue, you're highlighting how to attack a specific site. I'm not a lawyer, but as I understand it, this gets into more dangerous legal waters than disclosure of regular software. >XSS bugs are easy to discover and easy to fix, so what's the problem? This is a common misconception. The basic XSS issues are easy to discover and fix, and there are still far too many of them in software. That's partially because with XSS, every single input/output is suspect, and you simply don't get that large of an attack surface with other vuln types. Over the years, XSS has demonstrated a rich set of attack variants, such as the recent 8-bit XSS bypass discussed by Kurt Huwig (http://seclists.org/lists/bugtraq/2006/Jun/0549.html) - Steve
