Being that my degree is in philosophy, I like to think that what makes good commentary and analysis is a good analogy. So here goes.
The web application is like a safe. Some have core vulnerabilities. Once you've cracked the safe all of the novel attacks against the browser are just more ways of spending the loot.
There is a lot of research that goes on in the web application security world. Much of it is interesting but it often focuses on what sorts of attacks can be done against an app that has inadequate access controls, input/output filtering, etc. Even the smallest crack can be exploited to cause all sorts of disarray, problems, etc.
Problem is, it all starts with vulnerabilities that are all the same:
- Inappropriate filtering of input
- Inappropriate filtering of output
- Bad session handling, generation, etc.
Is finding new ways of spending stolen money all that interesting? For me, the answer is no. I'm a lot more interested in new types of vulnerabilities, new protection mechanisms, etc. Not all of the billion or so ways I can screw up a site when its subject to XSS attacks.