Myth Buster I: Input Validation is a Panacea

No Phishing Allowed

January 16

"You'll see the typical security geek saying, 'People are dumb, people are stupid, they're never going to be trained,'." said Rohyt Belani, PhishMe co-founder and CEO. "We have statistics to prove otherwise."
PhishMe Twitter
- Zappos customers, make sure you look out for phishing emails: http://t.co/xcavPbOs 03:51:21 PM January 26, 2012 from CoTweet Reply Retweet Favorite
- The importance of educating users to spot potential attacks is talked about in article about DoD ID card attack: http://t.co/jRnL7AXB 04:06:34 PM January 18, 2012 from CoTweet Reply Retweet Favorite
@phishme
Blogroll
Links
- Intrepidus Group
- Layered Security
Archives


	« Mobile Security: Passwords (you are still the weakest link) Myth Buster II: We’ve Never Been Hacked »


	Myth Buster I: Input Validation is a Panacea October 29th, 2007 by Rohyt Till a couple of years ago, the input validation wand could be waved to solve almost any application security flaw – XSS, SQL Injection, Response Splitting, and the list goes on. That made it easy to become an application security consultant. If you could chant the “Input Validation” mantra you would be right most of the time. The advent of attacks like cross-site request forgery (which I prefer to call session riding) and session fixation, however, have made it difficult to pull off the input validation bluff. Let’s talk about Cross Site Request Forgeries (XSRF) for starters. Corey Benninger explained the difference between the often confused XSS and XSRF in a previous blog post. The root cause of XSRF is the predicability of key HTTP requests that result in transactions with signifcant impacts. E.g. If the HTTP request for transfering funds from one account to another is – http://www.hellobank.com/transfer.aspx?amt=1000&srcacct=1001829&srcaba=021000091&dstacct=9008990&dstaba=012000076 an attacker can lure a victim to visiting a web page, that in the “background” executes such a request to transfer funds from the victim’s bank account to that of the attackers. If the victim is logged in to his/her online bank then this transaction will execute successfully. The systemic issue is the predicability of the HTTP request. The way to thwart such an attack is to introduce a random element in every request to transfer funds, and more importantly verify that the random token has not been tampered with. Now on to session fixation. The potential impact of exploitation of this vulnerability is often underestimated; for those that feel that this is a “Medium” or “Low” risk issue check out my BlackHat 2006 presentation. The fix for this issue is real simple – invalidate and re-issue user sessions after critical events like login, and switching from non-SSL to SSL on the website. It’s not input validation though. I started thinking about this post while teaching my class at Carnegie Mellon University. One of the students came up to me after the web hacking class and asked me “What is the ONE thing I should take away from this session”. I said – ”If it had to be ONE thing for application security it would still be Input Validation, but hopefully you didn’t just learn ONE thing”
	This entry was posted on Monday, October 29th, 2007 at 10:14 am and is filed under Techno, Web Apps. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site. 662 Responses2007-10-29+15%3A14%3A31Rohyt to “Myth Buster I: Input Validation is a Panacea” porn clips download says: January 3, 2012 at 12:43 pm Some really prize blog posts on this internet site , saved to my bookmarks . Reply Toney James says: January 3, 2012 at 1:27 pm Repair work is also a highly regarded service a residential electrician offers. You can get a fixture replaced, an outlet checked, wires repaired, and everything else dealing with power in your home fixed by a licensed electrician. Reply Leave a Reply Click here to cancel reply. Name (required) Mail (will not be published) (required) Website