December’s Web Application Security Professional Survey Results
The results are finally in for December’s web application security professional survey! And I have to say I was far more impressed by these results than the previous results. Not because the questions were better. Not because the questions included references to ha.ckers.org and sla.ckers.org. No, as if that wasn’t enough, Jeremiah threw in a bonus question asking what people found to be “The most valuable web application security tip/trick/idea/concept/hack/etc you learned this year (2006)?” The results were very interesting.
I think it’s fascinating reading who said what. And thank you everyone who mentioned ha.ckers.org and sla.ckers.org. Trust me, we love you too, guys. But what I thought was really interesting was some of the comments, like using VBScript to test XSS since it isn’t case sensitive. And using UTF-16 to bypass filters (there is so much work left to be done in the encoding methods it’s just silly).
I really hope Jeremiah continues this and evolves it to ask more of these types of questions. Getting the real dirt on some of the tricks of the trade can help the entire field. Anonymous or otherwise, the tips are incredibly useful! But cool stuff, and thank you to Jeremiah for putting this together. I think anyone working in the space will probably be interested in this stuff.
December 14th, 2006 at 6:50 pm
ya, i never knew vbscript was case-insensitive.. (mostly because i despise VB and it’s incarnations). i’ve ran across all-cap filters maybe twice, but it’s a nice trick to remember.
and whoever included my name next to rsnake’s and id’s, that made my day^^ - despite the rest of my day being decidedly crappy -_-
hopefully the next survey will have an equally interesting bonus.. it’s not often you can ask 63 people in one field the same question.
December 14th, 2006 at 8:05 pm
That was me and your welcome!…I told Jeremiah that some of the things I see discussed scare the crap out of me, especially the part of using J.G.’s CSS hack and XSS to execute XHR’s against a list of sites to determine if the person is logged in….that’s just a frightening hack…
December 15th, 2006 at 12:31 am
The thing that struck me the most that the majority of the questionairs do work in the security business. and most of them use scanners as a percentage result i guess.
I don’t work in this field, i’m a webdeveloper, i build and architect sites, and i really rarely use scanners, cause most of the time i write the thing myself, and know what i write is pretty safe. Though i find it quicker to manually review the code instead of a scanner.
So this boils down to my question: if one works in the security field, and use a scanner, i wonder if they build the code themselfs they scan? that would make a huge difference i guess.
December 15th, 2006 at 9:13 am
With regard to using UTF-16 to bypass filters… my own tests with it suggest that it might not be as effective as it’s been cracked up to be.
For instance,
http://www.frostjedi.com/terra/scripts/demo/utf16.php
Doesn’t work in IE6/7, although it does, in FF2. If I don’t explicitly set the charset to UTF-16, it does work in IE6/7, but not on FF2. Presumably, the latter’s behavior is due to this:
http://ha.ckers.org/xss.html#XSS_Null_2
(ie. it seems like IE is doing is auto detection; the same auto detection that enables one to include HTML in a *.gif and have IE render the *.gif as an HTML document)