Monday, February 12, 2007

Most web security is like finding new ways to spend the loot

Being that my degree is in philosophy, I like to think that what makes good commentary and analysis is a good analogy. So here goes.

The web application is like a safe. Some have core vulnerabilities. Once you've cracked the safe all of the novel attacks against the browser are just more ways of spending the loot.

There is a lot of research that goes on in the web application security world. Much of it is interesting but it often focuses on what sorts of attacks can be done against an app that has inadequate access controls, input/output filtering, etc. Even the smallest crack can be exploited to cause all sorts of disarray, problems, etc.

Problem is, it all starts with vulnerabilities that are all the same:

- Inappropriate filtering of input
- Inappropriate filtering of output
- Bad session handling, generation, etc.

Once you find one of those vulnerabilities, whether its XSS, overwriting the user's whole javascript call tree, etc. its all the same...

Is finding new ways of spending stolen money all that interesting? For me, the answer is no. I'm a lot more interested in new types of vulnerabilities, new protection mechanisms, etc. Not all of the billion or so ways I can screw up a site when its subject to XSS attacks.

So, when papers about something like CSRF, same-site bypass of javascript rules, etc. come along I'm interested. Clever attacks once there is a systematic weakness in a site just aren't that interesting anymore.

No comments: