Interview with Robert “Rsnake” Hansen by David Sopas

www.websegura.net

David Sopas: How did you get interested in Web security?

Robert Hansen: One day I read a white paper on how you could use telnet of all things to
connect to any port you want and in the case of port 80 you could actually interact with
web servers. I couldn't believe it was true, because I thought telnet was a single use
program that spoke a specific protocol not a generic program that could talk to lots of
protocols. So once I telneted to port 80 and after some fiddling I saw HTTP headers and
data flying by. I couldn't believe my eyes. As soon as I saw it it was like a bolt of lightning
hit me. I finally got how totally insecure everything must be. Now mind you, this was
1995, so there weren't that many web applications out there that were interesting. But
every one that was out there suddenly seemed extremely exposed and ripe for
exploitation. It took my years to fully appreciate how right I was, but that's how I got my
first taste. It always surprises me how many security practitioners and web developers to
this day have never see HTTP headers.

DS: In your opinion, how has the Web security scene evolved in the last few years?
RH: Web security didn't exist when I started, there was no such thing and no one was
interested in it. There was literally just a handful of security researchers on earth at that
time, and even fewer who cared about websites. Back then it was all about being a good
sys-admin and a good network security guy. Much later a concept called CGI security was
in vogue because SSI and Perl opened people's eyes to how easy it was to make dynamic
websites. Much later the term webappsec came out and even then there were only a
handful of people who cared about it. It took many many years before people suddenly
realized that network security had forced everything to tunnel over HTTP. The day I heard
about a project that was designed to tunnel TCP over HTTP was when I realized there was
no stopping web security. It's here to stay.

DS: Are websites that you assess more insecure today in comparison to 3 years ago?
What changed?
RH: I don't assess the same websites that I used to assess. The kinds of websites I asses
now tend to be bigger in scope, but no, I don't see any major shift in the amount of
vulnerabilities except if you're talking about ASP.NET. The only reason ASP.NET is more
secure is because of ViewStates which, if encrypted and verified really does cut down on
certain vulnerabilities, like CSRF and XSS. The rest of the vulns, unfortunately, are still
there, as always. I don't like talking about compliance but PCI does seem to have forced
people to fix some of the lowest hanging fruit, but if you poke at the sites even a little, or
heaven-forbid, log in, you find that those automated scanners really aren't doing much.

DS: Of all the vulnerabilities out there, why did you decide to devote almost your work to
XSS? Do you consider it the most dangerous?
RH: I certainly do not consider XSS to be the most dangerous exploit. That honor should
be reserved for command injection, RFIs, SQL injection and so on. But I do consider XSS
to be the perfect blend of easy and high damage potential. If I'm an attacker who is new
on the scene, but wants to make a ton of money, why am I going to invest a ton of money
and time in learning something complicated when I can do the same damage with a single
line of JavaScript? It just doesn't make sense. So while I don't think it's the worst exploit
out there, it's so easy that it's impossible to ignore. Criminals don't care if the attack is
sexy or not, they just want money - so it's not really important to me what some people in
the security world tend to think - I'm much more interested in reality. I think it gets a bad
rap because it's not as sexy as other exploits, but if I can own your network with a few
lines of JavaScript or worse yet a single line of HTML if we're talking about CSRF, I
personally don't care how cool other exploits are - they're just far less likely. XSS and
CSRF are here to stay.

DS: Why are XSS errors so easy to make?

RH: Output encoding is a simple concept, but no one tends to understand how many ways
there are to bypass basic output encoding. Just because out encoded something to land
in HTML doesn't mean your buddy who is working on the same code won't throw it into
JavaScript space, or CSS space, or somewhere else. It's really hard to know where
something is going to be used unless you're in control of every aspect of the code. And
even then it requires that you know about the vulnerability. It's easier to get it wrong than
right.

DS: What are some examples of the damage XSS flaws can cause?
RH: They have been shown (in various examples) to break into internal networks, take
over your local computer, steal credentials, phish usernames and passwords, change
information in websites, port scan, etc... etc... Really, aside from hiding your car keys and
dating your wife, XSS is capable of just about any bad thing you can think of. It's the swiss
army knife of client side vulnerabilities.

DS: Talk me about your book "Detecting Malice". Why people should read it and who
should read it?
RH: I wrote Detecting Malice as an extension to my blog. I thought it would be a good idea
to give security practitioners, programmers, analysts and so on, the insights that I've had
over the years. I tried to make it extremely easy to read, even though it goes over some
very complex topics. I used lots of real world examples, even if in some cases I had to be
vague to protect the innocent or guilty. A lot of the various security vendors have bought
the book and are talking about how they can try to implement some of the ideas in their
code. Now that would be interesting!

DS: What is the next area of application security to pay attention to?
RH: Inter-protocol exploitation is a hugely under-researched area of security. I'd love to
see someone really tackle that one, and prove how weak Mozilla's black-list port blocking
really is. You'd think after attacks against VOIP, Sendmail, IMAP3 and IRC they'd agree a
whitelist makes a lot more sense, but I think they're worried about breaking things. I hate
that we have to break the browser more than it already is for them to do what's right, but
that's where we are, I guess.

DS: What are your plans for the future? Any exciting new projects?
RH: I have more projects than I know what to do with. But I'm shutting down ha.ckers.org
as soon as I get to 1000 posts. I think after years of running that site, I need a well-earned
break. Unfortunately, I more busy than ever, so my plans are to grab a few beers with id
(the guy who runs the network) and then get back to work. There's no time to rest in this
business!

DS: To end this interview, do you have some final words to our portuguese readers?
RH: Yeah, if you love security, don't let the people at the top of the security industry dictate
the terms by which you do your research, disclose your vulnerabilities, or do your job. You
have a ton of potential, and life is too short. My Father used to tell me that if you love what
you're doing you'll never work another day in your life. To paraphrase him - if you aren't
having fun in security, you're doing something wrong. Put a smile on your face, and go do
what makes you happy!