Christian If you're reading my email as "it's the developers' fault", then you got it wrong -- I've been a developer for most of my life. And while things have gotten better in the last years, there are still tons of "build your blog 15 minutes" or "develop a twiiter clone in 2h" tutorials/advertisements for various platforms and languages out there which either assume security is a non-issue, or assume the platform/language will take care of it for you.
Heck, the manpages for some libc functions on non-GNU platforms still show vulnerable code in examples. perldoc is riddled with code that is just enough to show how a given function should be used, but with no validation whatsoever. I remember reading the training material for an Oracle product (sorry, I really can't recall the name) which touted being able to have the application security handled by infrastructure/middleware componentes as a desirable feature. So while I'd agree that we are getting better at this, we're still far from ideal. The canonical "hello world" for most languages/platforms out there, in most cases, still does not make explicit references to security issues. On Wed, Mar 6, 2013 at 8:49 AM, Christian Sciberras <uuf6...@gmail.com>wrote: > The article actually recommends looking for information from > www.w3schools.com <http://www.w3fools.com>?! > > Here's a few other obviously missing things: > - script requires input but does not check for it (very bad PHP practice) > - what the hell is with that code? Ever heard about indentation? > - there should be some very basic sanitization; ints be ints and strings > be strings > - hiding all errors, that was a very smart thing to do.... > - early 20's html and css coding style to boot > > Regarding the tool itself, obviously it's not meant to be used publicly, > hence why I could close my eye in this respect. > > UIlisses, developers already do this. Actually, they've been doing it for > quite some time. > Perhaps the "security experts" writing tutorials as in that article should > follow? > > > On Wed, Mar 6, 2013 at 11:55 AM, Dan Ballance <tzewang.do...@gmail.com>wrote: > >> +1 >> On 6 Mar 2013 10:41, "Ulisses Montenegro" <ulisses.montene...@gmail.com> >> wrote: >> >>> Not including proper input validation and error handling in code samples >>> is one of the most common and harmful practices in the software development >>> industry -- doing it is not "optional" or "advanced", it is mandatory >>> unless you want to be pwned. >>> >>> Developers need to start doing things properly from the very beginning, >>> as habits become harder and harder to change with experience. >>> >>> >>> On Wed, Mar 6, 2013 at 7:33 AM, Benji <m...@b3nji.com> wrote: >>> >>>> Actually, adding input sanitisation really wouldnt increase the code >>>> size that much. Are you just incompetent? >>>> >>>> >>>> On Wed, Mar 6, 2013 at 7:46 AM, Źmicier Januszkiewicz <ga...@tut.by>wrote: >>>> >>>>> Dear list, >>>>> >>>>> Well, I suppose this had to be a proof-of-concept piece of code to >>>>> demonstrate how port scanning can be done in PHP, not a production-grade >>>>> software. Adding input sanitization would increase the code size by a lot >>>>> and obscure the concept somewhat (not that there is much to be said anout >>>>> the concept though). Think we can give the dude some discount for that. >>>>> >>>>> Nevertheless, seeing something like this coming from "Certified >>>>> Ethical Hacker and Security + certified" makes me doubt the worthness of >>>>> those certificates. Could be nice to know the exact naming of those >>>>> certificates to properly disregard them in the future. >>>>> >>>>> With best regards, >>>>> Z. >>>>> >>>>> 2013/3/6 laurent gaffie <laurent.gaf...@gmail.com> >>>>> >>>>>> >>>>>> http://resources.infosecinstitute.com/php-build-your-own-mini-port-scanner/ >>>>>> >>>>>> Finding the vulnerability in this code is left as an exercise to the >>>>>> reader. >>>>>> >>>>>> PS: "*Your comment will be awaiting moderation forever."* >>>>>> >>>>>> _______________________________________________ >>>>>> Full-Disclosure - We believe in it. >>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>>>>> Hosted and sponsored by Secunia - http://secunia.com/ >>>>>> >>>>> >>>>> >>>>> >>>>> >>>>> _______________________________________________ >>>>> Full-Disclosure - We believe in it. >>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>>>> Hosted and sponsored by Secunia - http://secunia.com/ >>>>> >>>> >>>> >>>> _______________________________________________ >>>> Full-Disclosure - We believe in it. >>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>>> Hosted and sponsored by Secunia - http://secunia.com/ >>>> >>> >>> >>> >>> -- >>> “If debugging is the process of removing software bugs, then programming >>> must be the process of putting them in.” - *Edsger Dijkstra* >>> >>> _______________________________________________ >>> Full-Disclosure - We believe in it. >>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>> Hosted and sponsored by Secunia - http://secunia.com/ >>> >> >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ >> > > -- “If debugging is the process of removing software bugs, then programming must be the process of putting them in.” - *Edsger Dijkstra*
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/