« The Need for Coherent Web Security Policy Framework(s) | Main | Some clarification of HSTS behavior on non-standard ports »

November 12, 2010


Feed You can follow this conversation by subscribing to the comment feed for this post.

David Ross

I was also doing research in this space on the Internet Explorer team in late 1999. (Related blog: http://bit.ly/cmc2jo) It's certainly quite common in real life for ideas to be conceptualized by different individuals independently. But I really am surprised by your 2nd to last paragraph. Georgi Guninski's browser bugs were an inspiration on the work I was doing, that is something I recall. But beyond that I'm sort of left scratching my head.

David Ross

Ahh, less head-scratching now. I found a reference to an issue on IIS error pages from that timeframe that I think is a match.

Marvin Simkin

David, the blog you reference says "The research leading up to the disclosure dates to mid-December 1999". I had a working XSS scanner in early November 1999. so I think it is fair to assume I'd been developing it a while before that, though I don't recall the exact date when I started.

I agree it is likely several people were moving in the same direction at the same time. Again I don't recall exact dates, but is it possible our conference call with the Internet Explorer security team (in October? November?) was part of the inspiration for the research push in December?

Marvin Simkin

Regarding Georgi Guninski's browser bugs (a researcher I highly respect, by the way) I'd comment that XSS was not a browser bug, but rather an unexpected outcome of several parts all working as designed -- including, for example, 404 error pages which would echo your Referer header without sanitizing it. The only bug was trusting user input -- but "Who would attack themselves?" was the thinking at the time.

The comments to this entry are closed.