Zed Goes Off About Mongrel
Hey, alright. Lots of good stuff in this interview with Zed Shaw, the trainer of the Mongrel web server. We don’t get to hear much from him, because he really is incredibly productive. But it’s good to hear about his design choices behind Mongrel.
In the EastMedia/VeriSign project we were seeing a bunch of attack attempts from a “security company”. [...] After they ran the automated scans we saw a few “hand coded” attacks which probably means someone at this “security company” was very intrigued by what Mongrel was doing.
The funniest part of this is that all Mongrel does is use a correctly coded parser based on a real grammar and a parser generator (Ragel). Other web servers use hand coded HTTP parsers that turn out to be vulnerable, difficult to compare to the real HTTP 1.1 RFC grammar, and are just a pain to manage. Using Ragel makes Mongrel robust against many of these attacks without actually having to create specific logic for detecting “attacks”.