Mood Indigo Website Hacked

[Amol Mandhane]

The Indonesian Hacker 'R3DD3V1L' has gone crazy and mass defaced hundreds of websites. Moodi website is one of them.

Here's a list.
http://www.hack-db.com/hacker/R3DD3V1L/all.html

If anyone knows how to secure our servers from this kind of exploits, please post.

Regards,
Amol Mandhane

[Amol Mandhane]

Also, backup all your codes and databases.

Regards,
Amol Mandhane

[Sudarshan Wadkar]

shites!

thanks a lot for the warning

*phew*

/me runs for backups!

-Sudhi :-?

--
--
The website for the club is http://stab-iitb.org/wncc
To post to this group, send email to wncc...@googlegroups.com
 
---
You received this message because you are subscribed to the Google Groups "Web and Coding Club IIT Bombay" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wncc_iitb+...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
 
 

[Viraj Sawant]

How do they pull off such a hack ? 

As in m asking about the method ! 

I guess this is not done by simply SQL injection. 'Cause in 'moodi.org' basic measures to avoid sql injection were already taken. 

Can anyone tell what other way could be ? :/ 

--

Regards,

Viraj Sawant,

IIT Bombay

 

[Sudarshan Wadkar]

SQL injection is just one of the well known hacks

there are n number of stuff thats broken/compromised in the open source world

yes, they are patched and fixed for vulnerabilities but not every sysadmin can and does patch the entire system up-to-date

add to that other bad-practices (i.t.o. security) like `eval`s (which are almost always insecure)

and you're asking for trouble

we're lucky that not many people out there are black/red/dark-hats

otherwise the internet would be doomed to death by their malicious intent

-S

[Abhishek kumawat]

There are various methods for doing so.... even if we have taken all precautionary measures from our side then also our site is not safe....
if our site is hosted on a particular server and any other site which have some vulnerability is also hosted by that server.... then via advanced shell uploading the attacker can take control of all the sites hosted by that server.... just because of that one vulnerable site....

[Viraj Sawant]

Couldn't agree more. Thanks :) 

[Pritam Baral]

Analysis

I would like to make a few things clear about this. For people who still think this was a targeted attack against the Mood Indigo site: it wasn't. Mood Indigo just happened to be on a server that was attacked,

Observation

The url redirected to points to a cgi script, the likes of which are generally used by system-control services like cPanel/WHM. This suggests the hostile takeover is at a system level, as opposed to a single domain or a single user on the system.

A simple test would be to replace the domain with the ip address of the host: it suffered the same fate. Clearly, the attacker has instructed Apache to redirect everything to a single url. That kind of access requires root privileges; thus ruling out any vector via moodi.org or any other hosted site (unless of course, the hosts znetlive are stupid enough to provide an unsecured su-like binary) Local root exploits seem unlikely, on a CentOS 5.8 system, the last reported one was way back when.

A zero-day exploit is possible, but far-fetched. Let's consider some easier attack vectors. Unpatched/old software are suspect, as Sudarshan pointed out. I must say that their open-source nature aren't to blame here. In fact, open source softwares are often quickly patched, heavily reviewed, and easy to update. I would love to take this opportunity to bash cPanel, but that's for another day.

Rahil Momin, web CG, Mood Indigo, also state that regular users on the server were denied access, both to ftp and to successful password changes. However, the attacker had no cause to touch their code or databases in order to carry out a poster-page redirection.

Mitigation

It would have taken a barely-intelligent sysadmin hardly 5 minutes to restore the system, even if root was compromised on it. However, they seem to have taken well over 12 hours. Oh well, but what do you do if your site hosted on a shared server goes down like this?

1) Have an alternate hosting ready, (duh? read on!)
2) Keep your DNS and web host separate. Third-party DNS services are fairly cheap, abundantly featured and far better than either your registrar or webhost. (See PS below)
3) Make sure you have a short TTL on your NS records. Makes switching hosts quick.
4) Have a static/read-only version of your site at hand.

Of course, the best option would be to get a private server, possibly with a large provider like Amazon/Heroku/Linode, but not everyone has the funds/needs for that.

PS: Even if you can't get an alternate hosting service at short notice, URL cloaking comes handy: let's you use bighome to host your site, at your URL!

Regards,
Chhatoi Pritam Baral

On Feb 14, 2013 10:48 AM, "Sudarshan Wadkar" <wad...@gmail.com> wrote:

[Harsh Ankur]

Checked the list of indian websites in the link provided by you.. Couldn't fing moodi.org!!
Harsh Ankur
2nd Yr. Undergraduate
Electrical Engineering
I.I.T. Bombay, Powai
+917738995319

-Sent from Nokia-----Original message-----
From: Amol Mandhane
Sent: 14/02/2013, 1:24 am
To: Web and Coding Club IITB
Subject: [WnCC] Re: Mood Indigo Website Hacked

[Avilash Kumar]

This is all I could infer.

The hack was conducted when they found some some security hole in WHM of ZNetLive where they could change the default suspend page of normal accounts existing at cgi-sys/suspendpage.cgi and no idea how they could suspend the accounts leading to the redirect.

@Viraj - SQL Injection on MI ? Is there any place to conduct it. 

[ANUP RAAJ]

:D

--
--
The website for the club is http://stab-iitb.org/wncc
To post to this group, send email to wncc...@googlegroups.com
 
---
You received this message because you are subscribed to the Google Groups "Web and Coding Club IIT Bombay" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wncc_iitb+...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
 
 

--
Have a nice day  !!!

Regards,
Anup Raaj
Core Team Member ( Web and Softwares)

Student Alumni Relations Cell, IIT Bombay

Web:- 

http://www.sarc-iitb.org/

Mobile no:-  +91 9757418329

[Shambhulingayya.N.D]

Hey, I think one option is u should use capabilities of SSL/TLS for http (which makes http to https) for secured communications

On Thu, Feb 14, 2013 at 1:27 PM, Abhishek kumawat <abhishek...@gmail.com> wrote:

[Mayank Singhal]

^ How would that solve anything?

Mayank Singhal

[Gopala Krishnan]

Having SSL would safeguard User's data by encryption and that has nothing to do with Site's security (from vulnerabilities like SQL injection). I have few years of Site building and was victim of quiet of number of attacks. Here's my two cents:

1. Have a dedicated hosting (atleast VPS) with unique IP. This will prevent problems from bad neighbors caused due to shared hosting. Currently 4262 sites are hosted on the same server as Moodi.org. Your current hosting has got VPS plans . Though it will be little more expensive than shared hosting, it's worth the money (considering sponsorship for Moodi and pride of IIT Bombay).

2. Follow any widely used MVC framework for coding and DB connection. Never code from scratch.

Pal

[Twishmay Shankar]

Ah! but the caveats about these two points:

1) You're up for big trouble with dedicated hosting unless you know how to configure the server against attacks. Default settings are usually always open to some attack or the other.

2) If you're not patching up with the latest... call an ambulance already. Much easier to attack against popular frameworks as the exploits are extremely well documented and presented ;-). 

Best Regards, 

Twishmay Shankar

Rothschild

Mobile: +91 97697 47393

[Sudarshan Wadkar]

These events clearly bring forth the need and importance of SysAds. A developer needn't bother about all the patches and system related vulnerabilities.

-S

[Santosh Ananthakrishnan]

It is most unfortunate that attackers are writing sloppy exploit code, and

forgetting to set the evil bit, thus evading detection.

[Sudarshan Wadkar]

These are the dark-hats my friend. Only a white-hat respects the evil_bit :)

Also, doesn't make sense for someone creating havoc on a Valentine's Day to follow an April fool's tradition.

-S

[Mayank Singhal]

> Never code from scratch.
That's a bold statement. Coding from scratch has its benefits. One such benefit being learning to code from scratch. And I hope that one of the goals of MI is that the organizers  (not just the freshies, I mean everyone) get to learn something new, useful and interesting.

Anyway using a standard framework is vulnerable to mass attacks.
> Hacker discovers/learns about some vulnerability in a framework.
> Hacker targets all unpatched websites using that framework.

As is the case with VPS/SelfHosting, you need to continuously patch your framework with security updates as well.

Mayank Singhal

[Sudarshan Wadkar]

On Sat, Feb 16, 2013 at 1:49 AM, Mayank Singhal <manku....@gmail.com> wrote:

As is the case with VPS/SelfHosting, you need to continuously patch your framework with security updates as well.

Reminds me of: http://www.didrailshaveamajorsecurityflawtoday.com/

-Sudhi :)

[nikhil simha]

@Mayank
' standard framework is vulnerable to mass attacks.'?? 
Lets think about this for a while,
1) 'Standard' frameworks are standard for a reason, do you think a fresher would take care of csrf(cross site request forgery), xss, and sql injection in his code, I am not sure how many on this thread really understand these methods(no offence to anyone, I am talking probability here).
2) People who write these 'Standard' frameworks do really make sure you are guarded from these attacks
3) Attackets would be more familiar with standard methods of attack(mentioned above) rather than a particular method of attack that applies to a particular framework.
4) A framework in itself means that it 'helps' you maintain certain coding standards (patterns for reusable code like MVC) which tends to save a lot of time.
5.) Working with different frameworks gets you more familiar with very essential concepts like thread pools , server/client caching , sockets, threadpools , queue processing schemes etc. 
6)And the most important point is , it is a sheer waste of time and effort. 

Maybe I am being a bit bold here, but I think the statement is anologous to 'why don't you write a compiler for your own language in assembly code', and down right stupid.

On Sat, Feb 16, 2013 at 1:49 AM, Mayank Singhal <manku....@gmail.com> wrote:

[Amol Mandhane]

Standard frameworks have preventive measures for most of the attacks like XSS, CSRF. It is a good practice to use those in applications. But, as Mayank pointed out, these are open source. If some Black Hat finds out some bugs and doesn't report them, your application is vulnerable.

The recent Rails YAML exploit is a good example of this. Rails is one of the most popular web framework. Yet, it had a bug of severity, I would say, apocalyptic. If any big company runs it's applications on rails, there was a high chance that some black hats could have taken those down. In fact, if those companies don't have their own servers, it'll be difficult to find out if they are already compromised.

To say my personal opinion, if you are making some large scale application, you should go from scratch. You can always take reference from the frameworks.

[nikhil simha]

@Twishmay
1) Wrong:'default settings are open to attacks' , dude , really??
2) Wrong: frameworks guard you against popular exploits (gopal gave an example there SQL injection)

just out of curiosity, do you think people who write these frameworks and use them are not better/comparable to you?

On Fri, Feb 15, 2013 at 10:00 AM, Twishmay Shankar <twis...@gmail.com> wrote:

[Abhinav Gupta]

Knowing how to code from scratch is important.

I am a fresher and yes, I would take care of all that stuff BECAUSE I learnt to code from scratch and understood the security issues involved. But of course, if I had to start off something, I would end up using a framework, because it saves shit loads of time and known vulnerabilities have already been taken care of.

[Mayank Singhal]

@Nikhil
I don't think Twish argued against frameworks. I did, and so I will be the devil's advocate.

Firstly, I am not suggesting people to not use them. You are making a strawman. I am merely pointing out that using a framework doesn't guarantee protection. And making a statement like that sounds like Use a framework and you will be safe is wrong advice.

Secondly, there are no 'standard' frameworks. And that is so because they are not standards. Each of them serve a very specific usecase and each of them have their flaws. While some focus a lot on quick prototyping, others expose less attack surface. 

To address your individual points:

1. No a fresher might not be able to counter all things: SQL Injection, CSRF, XSS and dozen other acronyms. But he/she are not required to tackle all issues any way. Most freshers are not writing mission critical software. When they do, they would have probably read enough to make a good call.
2. People who right these softwares are still humans. And these codebases are huge! And bigger the codebase is, larger is likely to be the number of bugs. Some of which might end up leaving the package very vulnerable. Using Symfony or ExpressJS to serve a single static resume might bring you more hard then good.
3. Sure. But is your website really that important for that a hacker will study it and then try to use what technique might work? Every new site is kind of unfamiliar to an attacker. Yes, this is security by obscurity. And as much as it may be hated in theoretical realm, real world always uses it as first layer. Of course, there are 10 dozen other layers malicious adventurers have to break through.
4. We are talking secuirty not ease of use. And more so, we are talking about people who want/need to learn how to write code, not use automagical code generation in a framework.
5. Nobody works with 10 different frameworks. Nearly all frameworks cosume enough time and devotion before someone can assume they can tackle nearly all possible things through it. Call me stupid, but I am exceptional slow at this. And as much as I want to learn Symfony, CakePHP, RoR, Django, CodeIgniter, Backbone.js, Angular.js, Ember.js, GWT, Arc, HappStack, Socket.io, Spring and GoWeb, I don't have the energy. And it's not just this I will also have to explore CoffeeScript, SASS, LESS, Dart and Closure on the client side and at least a dozen languages on the server side. So no, working with a framework only makes one comfortable with that particular framework. It might introduce them to a bunch of jargon, but for 90% of it, they will never need to learn anything about it because it will Just Works™becuase of framework magic.
6. Well so is college, if the academic value is not counted.

The other two points which should actually be about dedicated hosting (hence not shared) and maintaining things by yourself (instead of just frameworks, Twishmay was address issues with dedicated hosting). I will just couple them together:

1. 'default settings are open to attacks' - He was talking about self hosting. And yes. To give you some examples:
1. Default password of a root login to a LAMP stack's MySQL is 'password'
2. Default placement of wp-config in wordpress is inside the wordpress folder itself not outside public_html (or www). A *LOT* of people don't move it.
3. There is usually no access crontrol set for phpMyAdmin installations, not even a simple .htaccess based authentication. MoodIndigo's PhpMyAdmin was public for ages.
4. Most dedicated hosts require manual settings to secure SSH (using fail2ban) from brute force attacks.
2. 'guard you against popular exploits' - Again, a strawman. He is mentioning that an out of date framework/package/server is very vulnerable. Check out the link that Sudhi had posted. It caters a very specific need for people who use Rails. It tells them if they should be patching their Rails deployments today with the latest security patch. If you don't, your deployment might become vulnerable to a very generic hack.

Mayank Singhal

[Amol Mandhane]

As Mayank pointed out, the people who write the frameworks are also human. The community does try to secure the ""Standard Frameworks"" for ""popular exploits". But it doesn't mean that using those frameworks makes you bulletproof.

To prove the point, I show this article. http://www.kalzumeus.com/2013/01/31/what-the-rails-security-issue-means-for-your-startup/

And as per the issue Twishmay addressed, you have to take extra precautions when using dedicated hosting. Those ""Default settings"" are vulnerable. I once hacked into(not really, read 'logged into') Insti election MySQL server since they were using the ""Default settings"". I informed the tech people and got it fixed. If it would have been a polt-stinking guy, it could have been a big mess.

There are some good practices I would like to point out.

1. Change all the default passwords of softwares like MySQL, FTP, phpmyadmin etc.

2. Port scan your own servers, if using a dedicated hosting. Try keeping all ports closed except the ones which are necessary(port 80, 443 for example).

3. Modify your phpmyadmin so that it is not publicly accessible, even with a login.

4. If anyone knows any more stuff, add to the list.

[nikhil simha]

On Sun, Feb 17, 2013 at 3:37 PM, Mayank Singhal <manku....@gmail.com> wrote:

@Nikhil
I don't think Twish argued against frameworks. I did, and so I will be the devil's advocate.

Firstly, I am not suggesting people to not use them. You are making a strawman. I am merely pointing out that using a framework doesn't guarantee protection. And making a statement like that sounds like Use a framework and you will be safe is wrong advice.

 

Agreed, but I never said any framework is absolutely safe, obviously I was speaking RELATIVELY, which is implied because we are comparing things.

 

Secondly, there are no 'standard' frameworks. And that is so because they are not standards. Each of them serve a very specific usecase and each of them have their flaws. While some focus a lot on quick prototyping, others expose less attack surface. 

 

That is exactly what I meant by 'standard' , these frameworks are written to  serve a usecase, and people (other programmers like you) use them because these frameworks serve these usecases really well.

To address your individual points:

1. No a fresher might not be able to counter all things: SQL Injection, CSRF, XSS and dozen other acronyms. But he/she are not required to tackle all issues any way. Most freshers are not writing mission critical software. When they do, they would have probably read enough to make a good call.

One wouldn't call moodi website mission critical, you need not be building rockets or writing code for an intelligence agency to use secure code.  

1. People who right these softwares are still humans. And these codebases are huge! And bigger the codebase is, larger is likely to be the number of bugs. Some of which might end up leaving the package very vulnerable. Using Symfony or ExpressJS to serve a single static resume might bring you more hard then good.

Yes, I would never advice one to use a framework to serve ones resume. But if you are implementing anything that has a login interface , or even does something as simple as accepting a form, you would be wasting valuable time.

1. Sure. But is your website really that important for that a hacker will study it and then try to use what technique might work? Every new site is kind of unfamiliar to an attacker. Yes, this is security by obscurity. And as much as it may be hated in theoretical realm, real world always uses it as first layer. Of course, there are 10 dozen other layers malicious adventurers have to break through.

 You are arguing against yourself here, if security is not important then it makes more sense to use something that makes your development faster. And about 'security by obscurity' , why do you assume a beginners code is obscure?? doesn't make sense. And on an unrelated note , I remember that phrase from the latest bond movie SKYFALL.

1. We are talking secuirty not ease of use. And more so, we are talking about people who want/need to learn how to write code, not use automagical code generation in a framework.

I thought we are talking about people who wanted a 'good-enough' system (like moodle ) up and  running in a short time

1. Nobody works with 10 different frameworks. Nearly all frameworks cosume enough time and devotion before someone can assume they can tackle nearly all possible things through it. Call me stupid, but I am exceptional slow at this. And as much as I want to learn Symfony, CakePHP, RoR, Django, CodeIgniter, Backbone.js, Angular.js, Ember.js, GWT, Arc, HappStack, Socket.io, Spring and GoWeb, I don't have the energy. And it's not just this I will also have to explore CoffeeScript, SASS, LESS, Dart and Closure on the client side and at least a dozen languages on the server side. So no, working with a framework only makes one comfortable with that particular framework. It might introduce them to a bunch of jargon, but for 90% of it, they will never need to learn anything about it because it will Just Works™becuase of framework magic.

that is a lot of names!!, I would never want to learn all of them , such a waste of time. Here comes the part where you do some RESEARCH and DECIDE what to use, based on the kind of resources you have.  

1. Well so is college, if the academic value is not counted.

This one is a good point (only if you are developing a templating engine or solving some interesting problem)

The other two points which should actually be about dedicated hosting (hence not shared) and maintaining things by yourself (instead of just frameworks, Twishmay was address issues with dedicated hosting). I will just couple them together:

1. 'default settings are open to attacks' - He was talking about self hosting. And yes. To give you some examples:
1. Default password of a root login to a LAMP stack's MySQL is 'password'

there is a reason why it is default , easy to remember and you are supposed to change it the moment you are using it for any production purpose. This one is a silly point. 

1. Default placement of wp-config in wordpress is inside the wordpress folder itself not outside public_html (or www). A *LOT* of people don't move it.

so what? 

1. There is usually no access crontrol set for phpMyAdmin installations, not even a simple .htaccess based authentication. MoodIndigo's PhpMyAdmin was public for ages.

Again you are arguing against yourself , it is 'not set' by people who are using it.  

1. Most dedicated hosts require manual settings to secure SSH (using fail2ban) from brute force attacks. 

1. 'guard you against popular exploits' - Again, a strawman. He is mentioning that an out of date framework/package/server is very vulnerable. Check out the link that Sudhi had posted. It caters a very specific need for people who use Rails. It tells them if they should be patching their Rails deployments today with the latest security patch. If you don't, your deployment might become vulnerable to a very generic hack.

this doesn't make sense either, attacks against a framework are 'specific'  to that framework why do you keep calling them 'generic hacks' , and I mentioned some generic hacks in my previous mail , please refer.

While this is a really well written mail, excellent wording, no spelling and grammar mistakes, and perfect use of punctuation, lot of fancy phrases and words. But the only point that even came close to making real sense is the academic value. Which I totally agree to , (if your website is not just another data flow). 

[Mayank Singhal]

Now we are going in circles :)

By generic hack, I meant a hack that works for *all* deployments of a particular package. Something like this: http://www.theregister.co.uk/2013/01/10/ruby_on_rails_security_vuln/

Mayank Singhal

[nikhil simha]

fair point, we are going in circles. 

Here is an acid test for genericity of a hack, see if it has a name. 

[Twishmay Shankar]

Thanks Manku. My two bits to add from a time when rails were something only trains ran on:

What would a cracker like?

The discussions above about security have missed out a very important angle. More often than not, security measures are not about writing the most flawless bundle of code that will never be cracked (which is impossible). The practical way here is to make it really hard for the cracker to get in. What do I mean? 

Scenario: I am a cracker. I want to hack XXX.com.

Case1: It is written by some noob who has a pretty interesting life outside the box and believes the people who care about SQL injections do not get laid.

Case2: He already has a gf and hence chooses to save some time by using the most hip CMS / framework. 

When would I, the cracker be happier? 

Consider this: In case 1, the noob would make sure he removes slashes from inputs, manages auth layers and does the other usual shit he will read on googling "10 best ways to secure your website". Post these basic measures, it would take the cracker a considerable effort to get across. 

However, case2: the guy uses [coolest CMS ever] or [framework that offers the Grail]. I would find out the version. Order some beer. And sit back and relax, while checking through the 100 "exploits for dummies" websites that have dedicated professionals listing out exploits as and when they find them for all the latest popular software. It is only a matter of time when dinner is served and I eat my way through the poor guy's borrowed code. (Unless of course he updates, but he had a gf... remember?)  

The other important reason why I would like case 2 better... I have access to the source code! Cracking a website without the source is like repairing a car while sitting on the drivers seat,. But of course there are 100 others trying to crack this popular framework anyways. 

Not saying that you shouldn't use frameworks, but they are not invincible. And if your're heeding her advice about cutting down on your Sys-ad time, someone is drinking beer... waiting for the service.    

Best Regards, 

Twishmay Shankar

Rothschild

Mobile: +91 97697 47393

--

[Shahansad K.P]

Extending all the arguments above, I have decided that i need to code up a new operating system for myself so as to keep my computer safe :P

Also since linux is opensource windows must be way more secure.

[Amol Mandhane]

If you have sufficient time in your life and skills to surpass the security level of Linux, Windows and Mac, I highly recommend you to code up a new operating system.

And again, open source has no relation with level of security. The way of writing the code does.

Certainly, a open source framework with some security measures will be more secure than private source code written by a newbie which looks like (SELECT * FROM `users` WHERE `username` = $_POST['username'].......).

But, if you have sufficient skills, time and manpower, and your application requires high level of security(If you are building a new Facebook, for example), I think it is better to code from scratch and create security measures from your knowledge about vulnerabilities.

[shahansad]

Finally! See very few people have that level of skill. Requirement is that you  build a better system  than what a collection for very smart people with ton of experience in what they are doing, did. Also their code have been tested extensively by usage. So it is a sound advice to say that "Use a well known framework it will be safer than what you would code up".

From what i can read you only advocate starting from starch if your system requires high level of security, developers have sufficient skill, time and manpower and specific example in this case mood Indigo doesn't satisfy even one of these. In fact it is nearly impossible that all these conditions hold for some individual person or to even a start up in nascent stages. It will turn out in most cases that the cost of recovering from a hack is way less than developing a system with lower chances of getting hacked.

As for the other argument of learning about coding from starch. I would suggest that you try and get your self femiliar with one of these frameworks code base and design documentation. That will teach you way more and may be you can contribute to it later on.

shahansad

Sent with Sparrow

--

[Mayank Singhal]

> That will teach you way more and may be you can contribute to it later on.

I disagree :)
If you want to learn, code from scratch. If you want to build deploy (and do it very quickly), use a framework. Largely most of the learning time you will spend with a framework will be spent on understanding the nomenclature, organisation and nuanses.

Mayank Singhal

[Shahansad K.P]

I suggested to dive into the code and not just use it. To use a framework you dont have to look into the source code. This is a completely separate step. In essence what i am saying is that. 

If you want to build deploy, use a framework and this time read the users manual. If you want to educate your self more (this wont help you much in using this frame work) try reading the design documentation and source code. 

The problem is that there is no structured knowledge source when you are doing the "starting from starch". You are likely to not notice most of the problem. Even for the once you noticed and conjured up a solution there is no way of knowing how good it is. A large part of maturing as a software engineer is solving it in correct way rather than just solving it. 

But in the end it could just be that we learn differently :)

[harshit mittal]

To this discussion I would sign off with a well written article I read a few days back. http://www.joelonsoftware.com/articles/LeakyAbstractions.html
What one has to realize is that web frameworks are just an abstraction of the underlying php/html/javascript/ruby and tons of other stuff used in delivering content over the internet and it's good to understand how the underlying entity works for 

clarity of thought while using/designing your app on the framework,

using the framework in the most efficient way, (not necessarily achieved by reading the source code; they tend to be huge)

know and possibly fix the limitations of the framework,

personally, I am at peace when I know what is swept under the rug,

and last but not the least, to effectively manage the security of the system OR not loose calm under pressure.

Now this is not generally true but rookies prefer using the framework because they don't want to look at the underlying entity. There are those who don't fall for that but that comes only after understanding what abstractions really are and taking them at face value and nothing more.

--

Cheers!

Harshit

[Manish Goregaokar]

This debate was quite interesting, so I asked about it on the Security Stack Exchange: http://security.stackexchange.com/q/31049/7497, and got some good answers :) You may find them interesting.

-Manish Goregaokar

On Mon, Feb 18, 2013 at 5:31 AM, Shahansad K.P <shah...@gmail.com> wrote:

[Mayank Singhal]

Again, to be clear I was not arguing that coding from scratch is better (more precisely, secure) than using a framework. I was trying to say that:

1. Coding from scratch is a great learning experience and absolutely essential if you want to move past the MVC app level of understanding. 
   
2. Using a framework doesn't guarantee security.

Mayank Singhal

[Sudarshan Wadkar]

> To prove the point, I show this article. http://www.kalzumeus.com/2013/01/31/what-the-rails-security-issue-means-for-your-startup/

OMG! Seriously guys, very good posts, arguments etc. But if you haven't read this one yet, I beg you, please do. Even if you don't understand an iota of any web-thingy. You use internet? Please read that article!

/me feels completely lost and heartbroken.

-Sudhi :'(