Our great sponsors
-
-
WorkOS
The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.
I think lisp languages have a culture of not caring about security, (total speculation here) with roots going back to stallman decrypting the passwords and restoring anonymous access in the MIT lab. For example, quicklisp the main package manager people are using with common lisp is pulling packages over http. Normal lisp development spawns a tcp socket that accepts arbitrary code to execute. Emacs recently pushed a release fixing a vuln not because they thought it was important, but because their users cared and they realize it's a bad look to not push timely fixes to known vulns. All those I can't really fault cause they're just people in their free time, but clojure has major industry use and the default html templater (hiccup) doesn't escape html by default (well it does in version 2 but that's still alpha so most are on version 1), leading to most web backends written in clojure having cross-site scripting (XSS) vulns.
After I learn common lisp some more the first project I want to do is extend nyxt browser for web security testing, extending it to provide some mitmproxy features like request searching, editing, fuzzing, etc functionality that can be closely integrated with the browser in a way separate mitm proxies like burpsuite aren't. nyxt let's you hook and extend everything about the browser, access pages dom and inject javascript, and everything written in common lisp will allow to modify and extend all functionality interactively, which I think can make it a uniquely good tool for web security testing. If anyone is interested in collaborating on such a project let me know.