Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Web Application Security Awareness Day
From: n3td3v <xploitable () gmail com>
Date: Wed, 16 Apr 2008 05:00:55 +0100

On Tue, Apr 15, 2008 at 7:24 PM, Jeff Stebelton
<jeff.stebelton () gmail com> wrote:
On Tue, Apr 15, 2008 at 12:32 PM, n3td3v <xploitable () gmail com

<mailto:xploitable () gmail com>> wrote:
 >     Why May 1st 2008? Because web applications are closely related to
 >     e-commerce
 >     and May Day is a common day for peaceful anti-capitalism protests, so
 >     it makes sense
 >     to be on this day.
 > ------------------------------------------------------------------------

 I almost missed this little jewel, having the inestimable Mr. "n3td3v"
 in my junk list (anyone else think it odd he always refers to himself in
 the third party?)

 I want to see if I can follow the logic here. May 1st is a common day
 for ANTI-capitalism protests. Web applications are tied to e-commerce.
 Therefore, the day you *protest* commerce is the perfect day to hold a
 contest that conceivably you wish to help make commerce more *secure*?
 These threads never  fail to provide some comic relief just when I need it.

i was just trying to bring awareness to web application security, not
have a protest against capitalism, and like you say posting
vulnerabilities in web applications is pro capitalism, so i don't see
where the problem is. having it on may the 1st is just more shock and
awe and is more likely to get attention towards web application
security. there is no protest, there is web application security
awareness day, it just makes it more interesting being on may day. if
web application security awareness day was on december the 1st, would
it have as much buzz about it? i say no... so to get the maximum
benefits from WASAD then you need to have some controversay in it,
than just say, ok we're going to have an annual day that for no reason
we release more web application bugs than normal. i think its useful
for web application security awareness day to be on may the 1st and
not december the 1st, what do you think? no one is protesting
anything, we all have a web applcation bug sitting in our back pockets
anyway, they are easy to find and are useful tools. all web
application security awareness day is ment to do is say *hey, we know
maybe releasing cross-site scripting is normally lame and not very
hacker credible, but if we have one day a year that says, if you
release your lame xss's we won't laugh at you, like we might do on a
normal day* and it even goes for people who don't normally release web
application bugs, like folks who just go after buffer overruns in
internet explorer, on a normal day they wouldn't release a xss, but
what i say to them is, on web application security awareness day, its
cool to do it.. and if you are a security researcher who normally only
releases B0f's, you on web app sec awareness day you can throw your
web app bug onto the list and it won't be considered lame. the vision
is simple, on web app sec awareness day, its uncool not to release a
web app bug, its the ppl who don't release one who should be the ones
pointed and laughed at. thats the problem with web app sec awareness
on a normal day, ppl say *boring xss*, *i'm not going to get hacker
points with my peers, i'm just going to copy&paste it to a txt file
and leave it on my mem key for five years until i remember its there
again*. i say there should be one day a year, when its cool to release
xss, just one day when ppl put their hands up and say, yup this is
what i've got. one day in the year when everyone agrees ppl won't
laugh and make fun of you because you post a xss, one day in the year
when you're doing something positive in the scene to get bugs patched
that you are on a normal day embarrassed to disclose. maybe may day
*is* the wrong day to have web app sec awareness day on, but i do
think there needs to be a web app sec bug amnesty day when high
ranking security researchers will say, actually i've got a xss, or the
script kid who thinks hes cool actually says *i've got an xss* and
isn't laughed at. so no matter who you are or your supposed ranking in
the security community, there should be a day where everyone
participates in web app bug disclosure, thats ammune from all the
other days in the year when its considered lame to release xss,
because we've seen it all before, and admittedly, there not too hard
to find. so what if there is some controversy with the date of it
being on mayday? as long as its doing the main key thing of securing
and bringing awareness, then overall its got to be a good thing. i've
been observing that ppl are reluctant to post xss anymore, even though
they have a ton in their back pocket. folks like morning_wood, he used
to post sql injection/xss all time, i noticed he doesn't anymore, now
is that because he doesn't have any, or is that because he thinks its
not cool and hacker cred as it used to be. so now you've learned my
thinking behind this day, i hope ppl can support it. and if ppl are
really not happy about mayday being the day, then let's talk about it,
but surely we all agree that a web app bug amnesty on whatever a day
in the year is going to be the benefit to the scene, rather than web
app bugs being kept in ppl's back pockets for over a year, ppl will
only save them till web app sec awareness day, then drop them onto the
list, rather than having a web app sec bug kept stored on ppl's mem
keys for maybe 2 years or more, because ppl are shy to publish them
onto the list because it might cause them embrassment between their
social peers. so with web app sec awareness day, we're all agreeing,
we won't hold our web app sec bugs privately for more than 12 months,
for when web app sec awareness day comes, we all agree to drop bugs
onto the list without fear of being labelled a xss lamer or script
kid. for the ppl who do just post xss on anyday they feel like and
they don't care about credibilty, thats fine, keep doing it, thats
great. but what i have been observing is there are a large amount of
ppl with xss, who are shy to post what they've got in their back
pocket *ever*, so a day like this, it has to be a positive thing. web
app sec awareness day isn't just about xss, i just used that as an
example. yours sincerely, n3td3v.

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]