Observations and insights from the Security PS Team.

The Night Before Xssmas

Twas the night before Xssmas and all through world
Not an application was safe, no one dared click a URL.
People’s browsers sat idle and they all pondered when
It’d be safe to view greeting cards online again.

The hackers were nestled all snug in their beds,
While visions of session cookies danced in their heads.
Developers were still working to push out new code,
But soon it’d be compromised for another bot node.

Cries for help on the Internet rose to such a clatter,
That consultants at Security PS looked into the matter.
They raced to their keyboards and started to type,
“Validate data” they cried, yet many thought it hype.

A few implemented black lists for input inspection,
And found they still fell victim to SQL injection.
The clueless were left in their server rooms gawking,
As exploits were launched that left their servers talking.

The good consultants didn’t give up in spite of all this,
And created security classes taught by a bright geek named Kris.
He showed people hacking demos and watched faces fall,
When they saw they couldn’t trust client data at all.

“Your users aren’t safe,” he said, “when it is revealed,”
“I can push JavaScript into this not-so-hidden field.”
“Plus parameters are bad,” he added with a wink,
“When they can be used to create an unsafe link.”

With time a few companies began to see the light,
And changed security practices to fix their code right.
“It’s not so hard,” they said, “when you know what to do.”
“Plus it’s nice not to have Russian hackers chatting with you.”

While we don’t want to claim victory too prematurely,
We do think more applications are being developed securely.
For those still struggling to deal with the injection plight,
We say “Merry Xssmas to you, keep up the good fight!”
    Blogger Comment
    Facebook Comment


Post a Comment