Myth Buster I: Input Validation is a Panacea
Till a couple of years ago, the input validation wand could be waved to solve almost any application security flaw – XSS, SQL Injection, Response Splitting, and the list goes on. That made it easy to become an application security consultant. If you could chant the “Input Validation” mantra you would be right most of the time. The advent of attacks like cross-site request forgery (which I prefer to call session riding) and session fixation, however, have made it difficult to pull off the input validation bluff.
Let’s talk about Cross Site Request Forgeries (XSRF) for starters. Corey Benninger explained the difference between the often confused XSS and XSRF in a previous blog post. The root cause of XSRF is the predicability of key HTTP requests that result in transactions with signifcant impacts.
E.g. If the HTTP request for transfering funds from one account to another is – http://www.hellobank.com/transfer.aspx?amt=1000&srcacct=1001829&srcaba=021000091&dstacct=9008990&dstaba=012000076
an attacker can lure a victim to visiting a web page, that in the “background” executes such a request to transfer funds from the victim’s bank account to that of the attackers. If the victim is logged in to his/her online bank then this transaction will execute successfully. The systemic issue is the predicability of the HTTP request. The way to thwart such an attack is to introduce a random element in every request to transfer funds, and more importantly verify that the random token has not been tampered with.
Now on to session fixation. The potential impact of exploitation of this vulnerability is often underestimated; for those that feel that this is a “Medium” or “Low” risk issue check out my BlackHat 2006 presentation. The fix for this issue is real simple – invalidate and re-issue user sessions after critical events like login, and switching from non-SSL to SSL on the website. It’s not input validation though.
I started thinking about this post while teaching my class at Carnegie Mellon University. One of the students came up to me after the web hacking class and asked me “What is the ONE thing I should take away from this session”. I said – ”If it had to be ONE thing for application security it would still be Input Validation, but hopefully you didn’t just learn ONE thing”
Some really prize blog posts on this internet site , saved to my bookmarks .
Repair work is also a highly regarded service a residential electrician offers. You can get a fixture replaced, an outlet checked, wires repaired, and everything else dealing with power in your home fixed by a licensed electrician.
As a very inretested party, but someone who is not knowledgeable of what standards, if any, exist to allow for useful and meaningful security and trust enforcement, analysis, etc, I think you’re both right.Most mainstream security vendors that provide various types of firewalls and “Internet security” products seem to fall into the trap described by Maslow: When the only tool you have is a hammer, everything starts looking like a nail.It’s imperative for us to have anti-virus and other anti-malware components on our systems, but more and more, release after release, these tools get more and more bloated, and they continue to slow down and/or interrupt every aspect of using my computer.The problem of too little attention, as Steve commented on, has manifested itself in the form of what appears to be few good (if any) interfaces for inspecting and assessing security, trust, threats, etc. in web applications, all the while fattening-up existing security products to provide a false sense of security.
Hi Arash,Compiling and dlnioyepg the project to a servlet container should get both client and server code to work.If you’re using Eclipse then enabling a SSTS project with GWT requires you to turn on GWT support and select a WAR directory so that it can find the host page. You’ll also need to compile the project before running it as it launches out of the WAR directory setup in Maven. I’ve had trouble accessing the web tier from hosted mode so I’ve had to disable the authentication filters for testing.I’ll see if I can prepare a Roo script for you to work with.
WDO4xW wsjnorrcvzpc