←back to thread

Writing "/etc/hosts" breaks the Substack editor

(scalewithlee.substack.com)
600 points scalewithlee | 2 comments | 25 Apr 25 13:48 UTC | HN request time: 0.428s | source
Show context
Y_Y ◴[25 Apr 25 14:13 UTC] No.43793778[source]
Does it block `/etc//hosts` or `/etc/./hosts`? This is a ridiculous kind of whack-a-mole that's doomed to failure. The people who wrote these should realize that hackers are smarter and more determined than they are and you should only rely on proven security, like not executing untrusted input.
replies(6): >>43793862 #>>43793868 #>>43793954 #>>43794072 #>>43794473 #>>43802345 #
mystifyingpoi ◴[25 Apr 25 14:20 UTC] No.43793862[source]
No one expects any WAF to be a 100% solution that catches all exfiltration attempts ever, and it should not be treated this way. But having it is generally better than not having it.
replies(7): >>43793876 #>>43793969 #>>43794144 #>>43794428 #>>43795337 #>>43796158 #>>43796295 #
1. simonw ◴[25 Apr 25 14:45 UTC] No.43794144[source]
"But having it is generally better than not having it."

I believe the exact opposite.

One (of many) reasons is that it can make your code less secure, by hiding your security mistakes from you.

If your WAF obscures escaping issues during your own testing and usage you could very easily let those escaping issues go unresolved - leaving you vulnerable to any creative attacker who can outsmart your WAF.

replies(1): >>43794869 #
2. RamRodification ◴[25 Apr 25 15:46 UTC] No.43794869[source]
If you are in charge of testing code for escaping issues, and you do that through a WAF, you might not be very good at your job.