On Fri, Jan 18, 2008 at 09:49:10PM +0100, [EMAIL PROTECTED] wrote: > In the last couple of weeks I have been reading a lot of security > (...) literature (...) on web related issues. > > It seems to me that a lot of people (...) call themselves "Security > Experts"
> But (...) [a] LOT of the examples provided in the material are just > so damn stupid that I can't believe anyone can take them serious. > (...) I tend to think: Dude if that can > happen to someone running a web server he's to stupid to understand what > you are writing and he shouldn't be running a web server in the first place. > > Is this just me or!? No, it's not just you. Doing web application security or web programming correctly is hard, and not quite all the people doing it (are smart|care) enough to know what they are talking about. This does not mean that there are no people who actually know what they are talking about; for instance, Amit Klein tends to produce posts that are, if not ground-breaking or brilliant, at least reasonably well-written explanations of issues that could actually crop up in programs or deployments created by competent people[1]. (Like http://seclists.org/bugtraq/2005/Aug/0200.html). As a general rule, web security requires securing the underlying server (which is obviously a topic of its own, and includes DNS spoofing), knowledge of common programming errors (mostly variations on not distrusting input enough - which can range from SQL injection to allowing people to upload/link to malicious image files - see http://www.kb.cert.org/vuls/id/181038), and some protocol-level issues like HTTP response splitting. Add in basic knowledge of cryptographic issues - storing customer passwords using anything but salted hashes is likely a mistake, and you should at least be aware of how much entropy your session handler provides - and you've evaded most issues. At least, until you're stupid enough to allow random 'widgets' on your page and the like. There are some tricks - stuff like mod_security[1] or simulating static type checking by using Hungarian notation[2] - that can help a little, but in the end it remains a difficult problem. In the end, however, 'too stupid to run a web server' (for example, running phpBB and not updating it) tends to cause much more damage than a badly-written custom application. I do hope some of these pointers are useful. Of course, this advice might turn out to be worth what you paid for it; I do not claim to belong to the few people who know enough to actually know what they are talking about, after all... Joachim [1] mod_security 1 is in ports, under security/mod_security; mod_security 2.x is only available for Apache 2, and not currently ported. (Although Apache 2 is.) The underlying model is fundamentally broken, but it can still catch some common problems, fix an issue quickly, and/or protect you from issues in decoders by rewriting a lot of stuff into a saner form. [2] The basic idea is as written in http://www.joelonsoftware.com/articles/Wrong.html, under 'The Real Solution'.
