I’ve been reading The Web Application Hackers Handbook and one of the first concepts they brought up really struck me.
“…web applications face a fundamental problem they must address to be secure. Because the client is outside of the application’s control, users and submit arbitrary input to the server-side application.” — The Web Application Hackers Handbook, pg 9
I was impressed with how simple and also robust this concept is. Immediately after reading it it seemed obvious how every attack pattern I’ve heard of, brute force password attacks, SQL injection, DDoS attacks, all rely on one simple and unavoidable fact: users can submit anything. And web applications are not ready for “anything”, they are ready for “everything the creators though of”, which is orders of magnitude smaller.
This makes me think of two types of challenges in security. The first is to discover and document the unknown vulnerabilities and the second is to help application creators defend agains the known vulnerabilities.