[WEB SECURITY] Damn Vulnerable Web App
Stephan Wehner
stephanwehner at gmail.com
Sun May 31 15:28:00 EDT 2009
2009/5/29 MustLive <mustlive at websecurity.com.ua>:
> Hello Stephan!
>
> Your wrote nice comment about Ryan's DVWA project and I'd made some comments
> on your one.
>
>> Any particular reason it is implemented in PHP ??
>
> I see two reasons why Ryan developed his project in PHP.
>
> 1. He have programming knowledge of PHP (so he decided to use it).
>
> 2. PHP language has a lot of built-in futures which are used by developers
> and make a lot of attack vectors. And for this reason PHP is liked by
> hackers (I mean php web apps with full of holes) and this is why php web
> apps are very widespread in bugtracks.
>
> The 2nd reason is even more important than 1st one :-). Especially for
> unique futures of PHP language which are liked by hackers, such as Remote
> File Inclusion. Only for this one there was a reason to make DVWA on PHP.
>
> Do you know any other programming language (which is used for web apps
> development) that has such ability (only server-side) - to include files
> remotely? Because I don't know any other such language (from all
> web-oriented programming languages which I know). Only PHP has such future
> and has RFI holes in web apps on this language ;-).
Well, I may be misunderstanding, but could such a feature be emulated
in another language? That way these kinds of holes may be controlled,
with a predictable interface and all in all more secure :-)
Stephan
--
Stephan Wehner
-> http://stephan.sugarmotor.org (blog and homepage)
-> http://www.thrackle.org
-> http://www.buckmaster.ca
-> http://www.trafficlife.com
-> http://stephansmap.org -- http://blog.stephansmap.org
----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec
Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/
Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA
More information about the websecurity
mailing list