PHPIDS » Web Application Security 2.0

This time we talk to a guy who approached in the group a while ago and submitted tremendously obfuscated JavaScript vectors and pointed out important flaws in the recent rule revisions. Since he came up with vectors containing characters like ‘ä’ and ‘ö’ we were pretty sure is from Europe - now we know more. Here’s what xorrer has to say:

Q: Please tell us a little bit about yourself!

A: I’m a software engineering student at the Vienna University of Technology. Currently I’m working for a small company on their web shop. I like to listen to all kinds of music, my all time favorites are The Doors.

Q: How did you come to webappsec

A: To be honest, a few weeks ago I wasn’t at all into webappsec. I guess I was reading/researching some stuff for work when I came across some RSS-feed about XSS. After a little research, a few other feeds (e.g RSnake’s XSS cheat sheet) I was into it. Since then I read a lot about PHP Security, SQLI, XSS, you name it. And with this entry I got to the PHPIDS project.

Q: What do you think about JavaScript - especially at the moment

A: That’s a funny question, as before writing some vectors for PHPIDS I never really did anything in JavaScript. Now after some fiddling around, while testing PHPIDS, I think that JavaScript is the ultimate web security nightmare. As Gareth already stated “Javascript: The ultimate hacking tool“. There is just way too much you can do with it and nowadays you can’t even turn it off in your browser, as there are many sites out there which won’t work without (Ajax, jQuery, Dojo, …).

Q: You’re hat is… please complete the sentence!

A: White. Responsible disclosure is the way to go. There are just too many script kiddies and other people out there for full disclosure.

Q: How would you imagine webappsec in five years?

A: I guess that for some years to come the situation will remain basically the same. The protections are just inferior to the attacks. And this won’t change so easily, as long as no company really gives (or even knows they should give) a thing about web security. Everyday there gets launched a new service and a new technology and in that rate there will be new un-thought of vulnerabilities and new attacks waiting.

Q: The PHPIDS is… please complete the sentence!

A: A good weapon for the first row of defense. It’s build by people who know what they are doing and tested by experts on the field of web application security.

Q: Thanks a lot for the interview!

This entry was posted on Wednesday, September 19th, 2007 at 8:10 pm and is filed under PHPIDS. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.