PHPIDS » Web Application Security 2.0

This is the second part of a series of interviews with people from the PHPIDS group. Today we are chatting with Gareth Heyes.

He recently submitted a bunch of concatenation vectors which gave us real headaches and helped a lot to improve the rules and the converter unit. Gareth is pretty well-known in the security scene and created various tools like the CSK and the JSFuzzer

You can get a taste of his work here and here. Have fun reading!

Q: Please tell us a little bit about yourself?

My name is Gareth Heyes and work for a big insurance firm near Manchester. I spend most of my daily working life developing web applications and learning new programming techniques. I’m always hacking my own stuff and trying to improve my code on a daily basis. My security work is done in my spare time and I often spend many hours in front of a monitor into the early hours of the morning. I’m married, have two dogs and I love playing and watching football when I’m not hacking.

Q: Who are The Spanners?

My mate Jake Smith asked if I wanted to be involved in a community web development blog, the name came from the “span” HTML tag, the original goal was to create a blog to enable designers and programmers to share knowledge. I started to post a lot of security stuff because I was really into doing security research and it expanded from there. I feel a bit guilty for taking over the blog but Jake assures me that he doesn’t mind and enjoys reading my stuff.

Q: You in ten years – looking back at WebAppSec today. What would you say?

I’d say it’s much harder to secure a web site than it was 10 years ago, the browser security model needs to improve because the
attacks are always getting better. The basic browser security model hasn’t changed much and that worries me a great deal, even 10 years ago the same attacks will work now. One thing that hasn’t changed much is vendors, I submitted XSS attacks to AOL, MSN and Altavista 10 years ago and never got a reply!, at the time I didn’t know it was XSS, I just found that I could insert HTML into their search
results.

Q: JavaScript is… please complete the sentence!

The ultimate hacking tool

Q: You spent lots of time in creating supreme vectors to test the PHPIDS – why?

Lots of reasons really, I love the project and the fact that it is open source and the challenge of beating your filters after so many talented people have submitted vectors. Most of all though I was tempted by Sirdarckcat’s post, I love being challenged to do something that people think is difficult or impossible and I suppose that is why I like security research so much.

Q: Thanks a lot for the interview, Gareth!

This entry was posted on Sunday, September 9th, 2007 at 6:44 pm and is filed under PHPIDS. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.