- You sometimes use Lynx to surf the Web. Furthermore you know what Lynx is.
- You don’t find it humorous when someone says they’re a penetration tester.
- When you send someone a link they say, “do you really expect me to click on that?”
- You get annoyed someone refers to an HTML Injection vulnerability as Cross-Site Scripting.
- You know that Slashdot uses a really strange URL format in their source code.
- You’ve gotten more than 10 emails from strangers asking you to help them hack their girlfriends Hotmail account.
- Your handle begins with the first initial of your name followed by “Snake”.
- Web 2.0 websites don’t work in your browser unless you turn off all your security plugins.
- You know Brendan Eich is and hate his guts
- Someone is stupid enough to bet you a thousand dollars you can't maliciously use 30% of websites on the Internet.
CEO of Bit Discovery, Professional Hacker, Black Belt in Brazilian Jiu-Jitsu, Off-Road Race Car Driver, Founder of WhiteHat Security, and Maui resident.
Thursday, February 15, 2007
10 signs you’ve been in web application security too long
RSnake helped me put this little thing together....
Posted by Jeremiah Grossman at 5:32 PM
Subscribe to: Post Comments (Atom)
11. when you read an article on "web hacking" and it includes a quote from B.H. and you automatically skim ahead looking for "Web 2.0 blah blah" or "Ajax, mumble, crazy, attack surface" because you know it's somewhere in the next few sentences.
Lynx? Telnet? Come on, it's all about netcat. :)
* When you know the ASCII table by heart
* When apostrophe and angled brackets are some of the most used keys in your keyboard
* When everytime you visit a web site for the first time, you have dirty thoughts about input sanitation
How about this....
* If you've used a unicode exploit to execute TFTP for uploading netcat and install a trojan.
* When you're at a conference you have to appologize to most people you meet, especially browser vendors.
* You give up on security all together and only trust your ability to contest charges to your credit card...
Jeremiah! Nice list ;-).
Sign 7 in particular.
And Ory is write about input sanitation. Because for a long time already when I come to some site first I think about it's security :-).
You and RSnake have been for a long time in webapp security, but I have been not so long, just from 2005 (March 2005). So I have not all this signs :-) - this is just a matter of time.
Why do you not write about your new XSS book :-) - one of the authors of which you are.
RSnake has already posted at his site about it (some days ago). And Pdp has also written about it yesterday - he would be the 5th author with you and other guys. I feel that it will be 5th author and here it is. It is good to see him with you in team.
It is good that such cool web security guys write such cool security book (about XSS). I wish good luck to all of you and to your new book!
Don't forget to write about all of types of XSS in the book. Write a chapter about UXSS and a chapter about XSS on SEO (black seo) ;-). And about many other interesting things.
When you send someone a link they say, “do you really expect me to click on that?”
I get that a lot
I guess this means that I haven't been in application security for to long then, but from my googling it seems like this is a common misconception. Can you go into a bit more detail about when an html injection flaw is not an XSS flaw too?
Hey MustLive, we're going to pack in as much as we can. We didn't think the XSS space had so much data. :)
Regarding #4... CVE uses "cross-site scripting" as a catch-all because the underlying weakness is the same - incorrectly filtering (or quoting) data that is interpreted as control information. From the weakness side, the only difference between types 1 to 3 is which communication channels are used and the location of the error. Obviously there are differences from the attack/impact side. Also, most published vulns don't make the distinction.
Post a Comment