[PRL] Bourne Shell Server Pages
Shriram Krishnamurthi
sk at cs.brown.edu
Thu Nov 22 16:35:00 EST 2007
On Nov 22, 2007 3:41 PM, Peter Dillinger <peterd at ccs.neu.edu> wrote:
>
> harmlessly? you realize how hard it is to build a secure system that
> so regularly executes code created by putting together strings with
> hard-to-understand escaping rules?
Oh, actually, I love it. My students and I have been having a merry
time finding vulnerabilities in corporate sites and corporate
products, and we've just built a tool to automatically protect PHP
scripts against reflected CSRF attacks. It was, ahem, easy to
evaluate our solution.
I will merely note that the PLT server is virtually immune to most
such attacks. What's the fun in making systems better automatically?
NB: Yes, Matthias, I'm being sarcastic.
It's another great example of my dictum that bad technologies create
marketplaces, while good technologies kill them (because you have to
just move on to the text problem).
Shriram
More information about the PRL
mailing list