Hi. In the last couple of weeks I have been reading a lot of security related literature with a strong emphasis on web related issues.
It seems to me that a lot of people tend to call themselves "Security Experts" and they work with security and they write articles and/or books about the subject. But.. is it just me or is there something wrong somewhere!? A LOT of the examples provided in the material are just so damn stupid that I can't believe anyone can take them serious. A lot of the material are using example where a malicious user inserts some code into the web page which is pointing towards a hostile server. In order for this thread to be executed the attacker must "hack" the server (we are not talking about cross-site problems). WTF!? Someone hacks the server and the document talks about a session fixation attack. Yea, sure, someone might "hack" a web server in order to insert malicious code, but I don't really think that's our main problem then, our main problem would be to take the damn server off-line and start working out the main problem: How the h... the server got hacked in the first place. For example in the "Threat Classification" manual written by different people from the "Web Application Security Consortium" there is this example: <snip> Issuing a cookie using an HTTP response header. The attacker forces either the target web site, or any other site in the domain, to issue a session ID cookie. This can be achieved in many ways: * Breaking into the web server in the domain (e.g., a poorly maintained WAP server). </snip> I have also found a lot of other examples in other books, Chris Shiflett's book about PHP security also uses some rather obscure examples (no offence Chris) in which I tend to think: Dude if that can happen to someone running a web server he's to stupid to understand what you are writing and he shouldn't be running a web server in the first place. Is this just me or!? Best regards. Rico.
