Tuesday, July 15, 2008

0wN3d by 5 characters

RSnake: My number one problem with WAFs is they don't protect against _all_ the vulns.

Jeremiah: Sure, but secure code doesn't fix all the vulns eitehr

RSnake: Depends on _how_ secure! I could easily create a peice of code that was 100% secure. You wouldn't find it fun to interact with, but it would be secure.

Jeremiah: while (1) { exit; }

RSnake: Sure, if you want to get crazy. I was thinking: exit;

Jeremiah: dammit, 5 characters.

RSnake: I rule


Anonymous said...

By the same logic, your WAF could protect against all web app vulnerabilities - block all traffic. You wouldn't find it fun to interact with, but it would secure your web apps against all vulns (assuming the WAF itself didn't have a vulnerability).

And so the secure coding vs WAF debate rages on...

Marcin said...

And by the same logic again, your WAF is full of security holes.

Jeremiah Grossman said...

true, at the time I was more concern that RSnake out coded me. :)

Marcin said...

Well then, you can just ommit the `exit;` entirely, so... I win!

0 characters :)

Jeremiah Grossman said...

hmm, can a piece of code with 0 characters be considered code? Sounds like we're about to get all philosophical now. :)

Marcin said...

$ touch supercalifragilisticexpialidocious.java
$ cat > supercalifragilisticexpialidocious.java


whitespace count?

Jeremiah Grossman said...

I guess, if it can execute, though I hadn't thought we'd be reduced to this.

Alexander Berezhnoy said...

Well, David's ultimate WAF is more universal, cause it protects any application. Meanwhile RSnake's best coding practice works for the one only.

Anonymous said...

And if your 'exit;' was in a PHP file circa 2002, you'd still be 0wn3d due to the file upload bug in PHP, which occured before your web script logic was executed.

It's not just the web app, but the web app server/platform, the web server, and the entire network stack. Let's not even begin to talk about the load balancer, firewall, router, ....

Unknown said...

I'm probably picking out the exact unintended tidbit of your post:

"RSnake: My number one problem with WAFs is they don't protect against _all_ the vulns."

Speaking of getting philosophical... :)

--bunch of stuff deleted here to reduce the rambling--

RSnake can pretty much say that about almost any reasonable security measure, then hide in a corner in a catatonic state until the mean people with the straight-jackets show up. :)

(Although yes, if someone consistently holds to the philosophy that only perfect or nearly perfect security measures are of value, then this can be a viable position. But most people I've experienced tend to be very selective when they throw out this argument...)

Anonymous said...

@Lonervamp - you are seeing my comment completely out of context, where immediately above that, I'm saying I'm trying to embrace WAFs more. But yes, way to miss the point of the joke! You people seriously need to learn how to laugh. Geez.

Anonymous said...

There are some things that a WAF will be good at (better than trying to do in application code), some things that it will be better to fix in the code, and some things that a WAF might give a little bit of marginal security against while code is fixed. I don't see any reason why either a WAF or source code patching has to solve the entire problem by itself.

Anonymous said...

I'm not sure what's funnier. The OP or the comments that have followed.

Unknown said...

@Anonymous (RSnake?):

I don't get how I could have missed the point of your joke when the whole joke was out of context. :)

But yes, had it been in context, it would have been entirely understandable and taken quite well with a laugh. Yeesh, chill out? :)

Random InfoSec Guy said...

Actually.. 2 characters.
CD 20.


PS: If you want a cleaner exit - it'd still be 4 characters:
b4 4c cd 21

(mov ah,4c and int 21)