Hello Jeremiah, (and all)

Jeremiah, I hope all of your technical issues are solved soon. I am sorry
that I will be unable to attend ToorCon 2001. I am sure that we will see
each other again at another venue.

I am also very excited about what we are doing here. Although we have a
great deal of work and fun ahead I am eager to get on with it. I hope
everyone else is as well. I also learned from the posts that many, very
sharp people are on the list, this is even more exciting.

I look forward to meeting those of you I have not perhaps we will one day be
hanging out at O'Wasp:\\Con instead.

I love what you have done with the attack categories.
My vote is that we roll with what you have done.

However I think that Mark said something very brilliant last night:

> This should be "classes of vulnerabilities in web applications" and not
> "classes of attacks".
>
> Let me explain...a class of vulnerability is improper input validation /
> filtering...the attacks inlcude sql injection, os injection, url encoded
> attacks, unicoded attacks...
>
> A class of vulnerability is authentication...the attacks are brute force etc

I think that we should no longer call it Attack Categories, because it is
not the correct mental container, and the mess we got into, was a mental
mess from using the incorrect terms to describe what we were thinking. Mark
has brought clarity with his words and I think that it will be important to
use precise language when and where we can. This will make developing a
methodology a great deal more clear as well.

One of the things we will know doubt end up doing is setting the standard on
this stuff. I vote that we never use the term "poison cookie" again. If you
search the web every instance of that term goes directly back to Sanctum,
Inc. We should avoid the endorsement of corporations when and where we can
though Eran was the first person to really bang a big loud drum on this
subject.

My recommendation is for "Cookie Tampering"

Dennis

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]