Interview with Robert “Rsnake” Hansen by David Sopas

www.websegura.net

David Sopas

: How did you get interested in Web security?

Robert Hansen

: One day I read a white paper on how you could use telnet of all things toconnect to any port you want and in the case of port 80 you could actually interact withweb servers. I couldn't believe it was true, because I thought telnet was a single useprogram that spoke a specific protocol not a generic program that could talk to lots of protocols. So once I telneted to port 80 and after some fiddling I saw HTTP headers anddata flying by. I couldn't believe my eyes. As soon as I saw it it was like a bolt of lightninghit me. I finally got how totally insecure everything must be. Now mind you, this was1995, so there weren't that many web applications out there that were interesting. Butevery one that was out there suddenly seemed extremely exposed and ripe for exploitation. It took my years to fully appreciate how right I was, but that's how I got myfirst taste. It always surprises me how many security practitioners and web developers tothis day have never see HTTP headers.

: In your opinion, how has the Web security scene evolved in the last few years?

: Web security didn't exist when I started, there was no such thing and no one wasinterested in it. There was literally just a handful of security researchers on earth at thattime, and even fewer who cared about websites. Back then it was all about being a goodsys-admin and a good network security guy. Much later a concept called CGI security wasin vogue because SSI and Perl opened people's eyes to how easy it was to make dynamicwebsites. Much later the term webappsec came out and even then there were only ahandful of people who cared about it. It took many many years before people suddenlyrealized that network security had forced everything to tunnel over HTTP. The day I heardabout a project that was designed to tunnel TCP over HTTP was when I realized there wasno stopping web security. It's here to stay.

: Are websites that you assess more insecure today in comparison to 3 years ago?What changed?

: I don't assess the same websites that I used to assess. The kinds of websites I assesnow tend to be bigger in scope, but no, I don't see any major shift in the amount of vulnerabilities except if you're talking about ASP.NET. The only reason ASP.NET is moresecure is because of ViewStates which, if encrypted and verified really does cut down oncertain vulnerabilities, like CSRF and XSS. The rest of the vulns, unfortunately, are stillthere, as always. I don't like talking about compliance but PCI does seem to have forcedpeople to fix some of the lowest hanging fruit, but if you poke at the sites even a little, or heaven-forbid, log in, you find that those automated scanners really aren't doing much.

: Of all the vulnerabilities out there, why did you decide to devote almost your work toXSS? Do you consider it the most dangerous?

: I certainly do not consider XSS to be the most dangerous exploit. That honor shouldbe reserved for command injection, RFIs, SQL injection and so on. But I do consider XSSto be the perfect blend of easy and high damage potential. If I'm an attacker who is newon the scene, but wants to make a ton of money, why am I going to invest a ton of moneyand time in learning something complicated when I can do the same damage with a singleline of JavaScript? It just doesn't make sense. So while I don't think it's the worst exploit

out there, it's so easy that it's impossible to ignore. Criminals don't care if the attack issexy or not, they just want money - so it's not really important to me what some people inthe security world tend to think - I'm much more interested in reality. I think it gets a badrap because it's not as sexy as other exploits, but if I can own your network with a fewlines of JavaScript or worse yet a single line of HTML if we're talking about CSRF, Ipersonally don't care how cool other exploits are - they're just far less likely. XSS andCSRF are here to stay.

: Why are XSS errors so easy to make?

: Output encoding is a simple concept, but no one tends to understand how many waysthere are to bypass basic output encoding. Just because out encoded something to landin HTML doesn't mean your buddy who is working on the same code won't throw it intoJavaScript space, or CSS space, or somewhere else. It's really hard to know wheresomething is going to be used unless you're in control of every aspect of the code. Andeven then it requires that you know about the vulnerability. It's easier to get it wrong thanright.

: What are some examples of the damage XSS flaws can cause?

: They have been shown (in various examples) to break into internal networks, takeover your local computer, steal credentials, phish usernames and passwords, changeinformation in websites, port scan, etc... etc... Really, aside from hiding your car keys anddating your wife, XSS is capable of just about any bad thing you can think of. It's the swissarmy knife of client side vulnerabilities.

: Talk me about your book "Detecting Malice". Why people should read it and whoshould read it?

: I wrote Detecting Malice as an extension to my blog. I thought it would be a good ideato give security practitioners, programmers, analysts and so on, the insights that I've hadover the years. I tried to make it extremely easy to read, even though it goes over somevery complex topics. I used lots of real world examples, even if in some cases I had to bevague to protect the innocent or guilty. A lot of the various security vendors have boughtthe book and are talking about how they can try to implement some of the ideas in their code. Now that would be interesting!

: What is the next area of application security to pay attention to?

: Inter-protocol exploitation is a hugely under-researched area of security. I'd love tosee someone really tackle that one, and prove how weak Mozilla's black-list port blockingreally is. You'd think after attacks against VOIP, Sendmail, IMAP3 and IRC they'd agree awhitelist makes a lot more sense, but I think they're worried about breaking things. I hatethat we have to break the browser more than it already is for them to do what's right, butthat's where we are, I guess.

: What are your plans for the future? Any exciting new projects?

: I have more projects than I know what to do with. But I'm shutting down ha.ckers.orgas soon as I get to 1000 posts. I think after years of running that site, I need a well-earnedbreak. Unfortunately, I more busy than ever, so my plans are to grab a few beers with id(the guy who runs the network) and then get back to work. There's no time to rest in thisbusiness!

: To end this interview, do you have some final words to our portuguese readers?

: Yeah, if you love security, don't let the people at the top of the security industry dictatethe terms by which you do your research, disclose your vulnerabilities, or do your job. You