Photo: Photo Monkey

When I was in high school I was focused on being good at everything. Some time passed and I realized that successful people focus on one (1) aspect of their life and dive deep. Really Deep.

While approving my blog comments, I came across this:

I chuckled and thought, “Why would someone care about Cross-Site Scripting my site?”

Targeting My Site

Was someone trying to “hack” me to prove a point?

There are much more powerful and well respected bloggers than me in the information security realm. Why target me? If you want to gain visibility for your attack go after someone like Jeremiah Grossman, Billy Rios, Chris Evans, or Rafal Los. If you XSS their star on the walk of fame, you will generate some buzz. But it won’t last long. People’s memories are short.

Practice Before You Execute

When doing a presentation I prepare. I never was a boy scout, but being prepared is a way to feel confidant in what you do. I don’t like to “wing it.”

I prefer to start my presentation months ahead of time and keep focusing and refocusing it. Making the presentation tighter and tighter, until it is the best that I can do. Why do I prepare this much for a presentation maybe 10 people will see? To avoid embarrassment.

Presenting on something that you are unprepared for is the most excruitating thing I can imagine. It is my worst nightmare.

The person posting this comment did just that. They attempted to execute before they prepared.

Do Your Homework

I would like to give advice to the fledgling hacker. If you want to find XSS on a site, start by doing reconnaissance. Before typing in blindly to fields alert(123) do some research.

This site is clearly using WordPress. Download WordPress, install it, and Identify XSS attacks that you could launch on my site. Can’t find any? No problem. Start looking at the source code for XSS. Trust me, they exist.

Notes on The Attack

Comments need to be approved. So, even if this XSS was valid I would personally have to share it with my readers. In doing your homework, realize that other bugs, such as remote code execution, are WAY better. Look for those.

Return to Focusing

The next time you put things in perspective ask yourself, “Am I focusing on something I care about?” If the answer is yes, continue down the righteous path. If the answer is No, Find Your Purpose.

Currently the Information Security industry is going through an interesting time.

• We have processes that can “fix” our problems.
• We have applications that can “fix” or problems.
• We have scanners that can “fix” our problems.
• And we have platforms that can “fix” our problems.

If this is the case, then why aren’t our problems fixed?

In the past few years the industry has become one of builders (people who write code) and breakers (penetration testers). I recently presented on why I think this is an incorrect view. To summarize, builders are good at innovating and breakers are good at finding security vulnerabilities in the software builders build.

However, when the “fix” comes along, the builder has to take time out of his feature mentality and focus on refactoring code. To date, I have never met a developer who likes to refactor.

What I propose is a new archetype. A fixer.

A fixer can come from one of two places. Either a developer who wants to learn the nitty-gritty of security or a Security minded individual that wants to learn developement.

The fixer will not spend time developing new features. Although he may spend a portion of his time breaking code, his main responsibility is to address the actual issues and fix (this time without quotes) the code.

Two points about becoming a fixer.

1. Ask for forgiveness later – You can become a fixer at your current role. Just start repairing the code.
2. Add Value - With anything you do, you should always add value. If you are a breaker, think how much more valuable you will be to a company if you are actually doing something other than pointing out the software’s flaws.

I have been doing this in my current job role and I have never had so much satisfaction.

Keep in mind the boyscout motto:
“Always Leave It Better Than You Found It.”