'Re: [WEB SECURITY] Damn Vulnerable Web App'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       websecurity
Subject:    Re: [WEB SECURITY] Damn Vulnerable Web App
From:       Stephan Wehner <stephanwehner () gmail ! com>
Date:       2009-05-31 19:28:00
Message-ID: e66d1efb0905311228s2b2d9cc6v48f5eec520036dd8 () mail ! gmail ! com
[Download RAW message or body]

2009/5/29 MustLive <mustlive@websecurity.com.ua>:
> Hello Stephan!
>
> Your wrote nice comment about Ryan's DVWA project and I'd made some comments
> on your one.
>
>> Any particular reason it is implemented in PHP ??
>
> I see two reasons why Ryan developed his project in PHP.
>
> 1. He have programming knowledge of PHP (so he decided to use it).
>
> 2. PHP language has a lot of built-in futures which are used by developers
> and make a lot of attack vectors. And for this reason PHP is liked by
> hackers (I mean php web apps with full of holes) and this is why php web
> apps are very widespread in bugtracks.
>
> The 2nd reason is even more important than 1st one :-). Especially for
> unique futures of PHP language which are liked by hackers, such as Remote
> File Inclusion. Only for this one there was a reason to make DVWA on PHP.
>
> Do you know any other programming language (which is used for web apps
> development) that has such ability (only server-side) - to include files
> remotely? Because I don't know any other such language (from all
> web-oriented programming languages which I know). Only PHP has such future
> and has RFI holes in web apps on this language ;-).

Well, I may be misunderstanding, but could such a feature be emulated
in another language? That way these kinds of holes may be controlled,
with a predictable interface and all in all more secure :-)

Stephan

-- 
Stephan Wehner

-> http://stephan.sugarmotor.org (blog and homepage)
-> http://www.thrackle.org
-> http://www.buckmaster.ca
-> http://www.trafficlife.com
-> http://stephansmap.org -- http://blog.stephansmap.org

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic