Thursday, February 15, 2007

10 signs you’ve been in web application security too long

RSnake helped me put this little thing together....

  1. You sometimes use Lynx to surf the Web. Furthermore you know what Lynx is.
  2. You don’t find it humorous when someone says they’re a penetration tester.
  3. When you send someone a link they say, “do you really expect me to click on that?”
  4. You get annoyed someone refers to an HTML Injection vulnerability as Cross-Site Scripting.
  5. You know that Slashdot uses a really strange URL format in their source code.
  6. You’ve gotten more than 10 emails from strangers asking you to help them hack their girlfriends Hotmail account.
  7. Your handle begins with the first initial of your name followed by “Snake”.
  8. Web 2.0 websites don’t work in your browser unless you turn off all your security plugins.
  9. You know Brendan Eich is and hate his guts
  10. Someone is stupid enough to bet you a thousand dollars you can't maliciously use 30% of websites on the Internet.


Anonymous said...

11. when you read an article on "web hacking" and it includes a quote from B.H. and you automatically skim ahead looking for "Web 2.0 blah blah" or "Ajax, mumble, crazy, attack surface" because you know it's somewhere in the next few sentences.


Anonymous said...

Lynx? Telnet? Come on, it's all about netcat. :)

Nice post.

Anonymous said...

* When you know the ASCII table by heart

* When apostrophe and angled brackets are some of the most used keys in your keyboard

* When everytime you visit a web site for the first time, you have dirty thoughts about input sanitation

Jeremiah Grossman said...

@Chris E,

How about this....

* If you've used a unicode exploit to execute TFTP for uploading netcat and install a trojan.


Brilliant! :)

Jeremiah Grossman said...

* When you're at a conference you have to appologize to most people you meet, especially browser vendors.

Unknown said...

* You give up on security all together and only trust your ability to contest charges to your credit card...

Anonymous said...

Jeremiah! Nice list ;-).

Sign 7 in particular.

And Ory is write about input sanitation. Because for a long time already when I come to some site first I think about it's security :-).


You and RSnake have been for a long time in webapp security, but I have been not so long, just from 2005 (March 2005). So I have not all this signs :-) - this is just a matter of time.

Anonymous said...

And Jeremiah!

Why do you not write about your new XSS book :-) - one of the authors of which you are.

RSnake has already posted at his site about it (some days ago). And Pdp has also written about it yesterday - he would be the 5th author with you and other guys. I feel that it will be 5th author and here it is. It is good to see him with you in team.

It is good that such cool web security guys write such cool security book (about XSS). I wish good luck to all of you and to your new book!

Don't forget to write about all of types of XSS in the book. Write a chapter about UXSS and a chapter about XSS on SEO (black seo) ;-). And about many other interesting things.

John said...

When you send someone a link they say, “do you really expect me to click on that?”

I get that a lot

Anonymous said...

I guess this means that I haven't been in application security for to long then, but from my googling it seems like this is a common misconception. Can you go into a bit more detail about when an html injection flaw is not an XSS flaw too?

Jeremiah Grossman said...

Hey MustLive, we're going to pack in as much as we can. We didn't think the XSS space had so much data. :)

Jeremiah Grossman said...

There are 3 kinds of XSS, non-persistent, persistent, and DOM-based. Non-persistent XSS is the most common type requiring the victim to click to be exploited. The persistent variety in when the attacked posts HTML/JavaScript to a public location. The effects of both are the same, but the way they set up are different. Anyway, some people don't see persistent XSS as being XSS at all, and prefer the name HTML Injection as more descriptive.

Anonymous said...

Regarding #4... CVE uses "cross-site scripting" as a catch-all because the underlying weakness is the same - incorrectly filtering (or quoting) data that is interpreted as control information. From the weakness side, the only difference between types 1 to 3 is which communication channels are used and the location of the error. Obviously there are differences from the attack/impact side. Also, most published vulns don't make the distinction.