Have an account?
It looks like you're new here. If you want to get involved, click one of these buttons!
Apply for Membership
Who's Online (1)
Looking to introduce yourself? Look no further, and click here! We also have IRC! [irc.evilzone.org #iexploit]
Web Application Security
Future of web-application security/hacking ?
I have been started to thinking about the future of the web-application hacking,
because after seeing some things it made me think like this,
I am just a beginner in these web-Application security/hacking,i had started to read many many
types of web-application attacks and all especially from the owasp site and some other sites,
and i checked the sites like 1337day and exploit-db and some other exploit sites for those vulnerabilities,
say http response splitting last exploit has been published before 1 year,
say RFI/LFI bugs last exploit has been published before 3-4 months,
seems RFI/LFI is dying fast,i think it would disappear soon,
what types of exploits we are actively seeing is xss,sqli,file upload bugs,RCE,command injection,CSRF and few others.
Also i started to hear that the same will happen to sqli and xss in a very few years,
Nowadays it seems many many smart people have been coming in to web-developing and they are making hackers job tougher,
1)what you guys feel about this?
2)do you think xss and sqli will die or will become an uncommon type of exploit in the few years ?
3)do you think any new breed of attacks will born in the coming future?
4)And as a beginner in web-app hacking/security this really started to worrying me,how can i prepare my-self so that i can over come these challenges in my future in order to have a good and successfull carrier web-Application security/hacking ?
1)I've always said it, but there will always be vulnerabilities. The only trick is to innovate.
2)XSS I don't feel will become an uncommon vulnerability, I think it's here to stay, mostly because I'm under the impression that web-developers don't think XSS is a very dangerous vulnerability. However, MaXe from intern0t proved otherwise. SQLi, I'm not sure. Almost everyone uses databases, and everyone is on a "save money" spree right now, so I don't think it's going entirely away anytime soon. Once again, mainly because people like to save money and hire Joe from his mom's basement, rather than a professional web-developing company to do it for them.
4)Really focus on studying php, asp, and the general functionality of SQL. I almost guarantee there's more vulnerable functions in those languages than just includes and mysql select queries. There's vulnerabilities in cookie handling, e-commerce web apps, you name it. Leave no stone unturned. That's all I have to say.
while( !(succeed = try() ) );
It wont go away, but as they are easy to fix it will be more uncommon. Who knows, we may get new web app attacks in the future.
i think SQLi will die off just because its a vuln that isn't too difficult to patch. I think vulns are disappearing because people are becoming smarter, i think teams like anonymous etc are making web-masters more a where of the threat and so they are studying up.
I feel XSS will never disappear, but i do thing that people will find better ways to stop the effects like cookie stealing etc.
RFI/LFI are quite rare now and so i don't even bother looking for those.
I personally think that SQLi will become sort of phased out. A lot of people have severe criticism of SQL due to it not being very true to the relational database ideal/model. I think we may see a new RDBMS [relational database management system] that will (of course have it own vulns but) get rid of SQL's shortcomings and possibly replace it. That may be years away, or decades... but it will happen.
XSS like p-teo said won't go away. Education is the key - some coders just do not have the necessary skills when it comes to web app security. The other idea is to go at it from the other way and browsers themselves stopping people from falling victim to such attacks as cookie stealing as a built in feature. No doubt firefox has an app for that - as it's awesome.
i think sqlis will be around a good while. there are more and more web applications being built, and sql is still _very_ prominent. the awareness is high, but as long as escaping isn't added as part of the language's syntax (like pythons dbapi), which it most likely won't be: people will still make the mistake. hell, even some of the popular sites, like w3schools seem to be teaching sql with user supplied data, without even mentioning the dangers of injection, that doesn't help; just more people falling for the trap ;)
Add a Comment