undefined | Better HN

0 pointsmike_hearn8y ago0 comments

Well, from my blog post three days ago, discussed here:

https://news.ycombinator.com/item?id=15321015

"I put it to you that it’s impossible to write secure web apps."

0 comments

This is like saying "It's impossible to perfectly secure a bike on a city steet" when it gets stolen because you forgot to engage the lock. I have fuzzers that would of likely found this pretty quickly.

mike_hearnOP8y ago

I doubt that. What sort of fuzzer is going to create an Ethereum smart contract of a very specific type, insert JavaScript into the contract title, insert the contract into the Ethereum block chain, synthesise the correct URL (which doesn't contain any JavaScript) and then detect that data from the backend was emitted unescaped?

Someone else in this thread said, well, serves them right, they should have used CSP, and then someone else pointed out that doesn't work for inline scripts, and there was a reply of the form "only stupid people use inline scripts" although this is news to me, as nearly every website I see uses inline scripts of some form or another. This whole discussion looks like people in denial.

The problem here is that XSS is so easy to create. A jungle of half-broken workarounds, mitigations, static analysis tools, fuzzers etc doesn't change the basic truth that the web is a fundamentally unsound platform on which to do secure coding. Data and code bleed together far, far too easily - by design.

KekDemaga8y ago

I misunderstood the design then. I assumed the XSS was done via an input on the page not an input in Ethereum itself.

1 more reply

j / k navigate · click thread line to collapse

0 comments

KekDemaga8y ago

mike_hearnOP8y ago

KekDemaga8y ago

I misunderstood the design then. I assumed the XSS was done via an input on the page not an input in Ethereum itself.

1 more reply

j / k navigate · click thread line to collapse