Well, you can decline to accept the argument all you want; but I stand
by my position and the facts that support it.
Yes. But it's impossible to hide that you're accepting input.
True, but it's not impossible to be subtle and it's not unreasonable
to limit your exposure. Maybe the tradeoff isn't always worthwhile;
but to say "No, there's no security benefit" is just wrong and to say
"the nominal security benefit isn't worth exploring" is arrogant. This
is the kind of thing that falls into the famous last words category
3) Of course you should write the most secure script you can
[...] But it's absurd to suggest that simply writing a more secure script is
enough in and of itself.
Why? If your script is secure then it's secure. Of course this does not
mean, that it really is secure just because you think so.
Yeah well, honest developers don't generally knowingly release product
that they believe to be insecure. But a lot of great and highly
respectable products are found, after the fact, to have significant
vulnerabilities all the time. I'm not just talking about MS here,
where you expect this kind of thing. We're talking about Apache, PHP,
Bind, sendmail and off shoot products. CERT had more than 2600
reported vulnerabilities in the first 9 months of 2004 alone. For the
mathematically challenged that's just a little less than 10 per day.
The net is littered with the corpses of the self-satisfied and smug
who thought they had written a secure script. Vulnerabilities are not
typically exposed by the developers, they are exposed by the clever,
the persistent, the motivated - and these are not always desirable
characters.
Which relates in what way to trying to hide the fact that a webpage is
dynamically created?
Now you're just being ornery. If you can't string it together, that's
not a hole in my argument - that's just your own refusal to see the
other side of the coin. If a web page is dynamically generated, it
immediately suggests a host of possibilities to a would be attacker.
SQL injection, altered globals, forged headers - all become
increasingly attractive in the face of a web application. If you can
help ameliorate a vulnerability that you may not have thought of by
limiting your exposure - that's a good call. Ignore it if you want.
This isn't me out here on some island spouting controversial security
philosophy - this is textbook shit man. There are several pages on the
concept in "Linux Firewalls 2nd Ed." , "Hacking Exposed", "Securing
Red Hat Linux" and Gibson's book (forget the name, it's on Amazon).
You should be reading 2600 and see how black hats find places to use
the vulnerabilities they learn about. If that don't sell you - you
can't be sold and I'll just give up quietly.
4) So... Anything that enhances the security of s web application is
probably a worthwhile effort.
You still have not put forward any arguments indicating that obscuring
the fact your webpage is dynamically created, leads to better
security.
I've put forward several, twice now; and then clarified the position.
Do what you want with it.
Ginzo