RSnake: My number one problem with WAFs is they don't protect against _all_ the vulns.
Jeremiah: Sure, but secure code doesn't fix all the vulns eitehr
RSnake: Depends on _how_ secure! I could easily create a peice of code that was 100% secure. You wouldn't find it fun to interact with, but it would be secure.
Jeremiah: while (1) { exit; }
RSnake: Sure, if you want to get crazy. I was thinking: exit;
Jeremiah: dammit, 5 characters.
RSnake: I rule
15 comments:
By the same logic, your WAF could protect against all web app vulnerabilities - block all traffic. You wouldn't find it fun to interact with, but it would secure your web apps against all vulns (assuming the WAF itself didn't have a vulnerability).
And so the secure coding vs WAF debate rages on...
And by the same logic again, your WAF is full of security holes.
true, at the time I was more concern that RSnake out coded me. :)
Well then, you can just ommit the `exit;` entirely, so... I win!
0 characters :)
hmm, can a piece of code with 0 characters be considered code? Sounds like we're about to get all philosophical now. :)
$ touch supercalifragilisticexpialidocious.java
$ cat > supercalifragilisticexpialidocious.java
^D
$
whitespace count?
I guess, if it can execute, though I hadn't thought we'd be reduced to this.
Well, David's ultimate WAF is more universal, cause it protects any application. Meanwhile RSnake's best coding practice works for the one only.
And if your 'exit;' was in a PHP file circa 2002, you'd still be 0wn3d due to the file upload bug in PHP, which occured before your web script logic was executed.
It's not just the web app, but the web app server/platform, the web server, and the entire network stack. Let's not even begin to talk about the load balancer, firewall, router, ....
I'm probably picking out the exact unintended tidbit of your post:
"RSnake: My number one problem with WAFs is they don't protect against _all_ the vulns."
Speaking of getting philosophical... :)
--bunch of stuff deleted here to reduce the rambling--
RSnake can pretty much say that about almost any reasonable security measure, then hide in a corner in a catatonic state until the mean people with the straight-jackets show up. :)
(Although yes, if someone consistently holds to the philosophy that only perfect or nearly perfect security measures are of value, then this can be a viable position. But most people I've experienced tend to be very selective when they throw out this argument...)
@Lonervamp - you are seeing my comment completely out of context, where immediately above that, I'm saying I'm trying to embrace WAFs more. But yes, way to miss the point of the joke! You people seriously need to learn how to laugh. Geez.
There are some things that a WAF will be good at (better than trying to do in application code), some things that it will be better to fix in the code, and some things that a WAF might give a little bit of marginal security against while code is fixed. I don't see any reason why either a WAF or source code patching has to solve the entire problem by itself.
I'm not sure what's funnier. The OP or the comments that have followed.
@Anonymous (RSnake?):
I don't get how I could have missed the point of your joke when the whole joke was out of context. :)
But yes, had it been in context, it would have been entirely understandable and taken quite well with a laugh. Yeesh, chill out? :)
Actually.. 2 characters.
CD 20.
:)))
PS: If you want a cleaner exit - it'd still be 4 characters:
b4 4c cd 21
(mov ah,4c and int 21)
~srx
Post a Comment