cat slave diary

Month: February 2007

  • On injections

    A fair number of years ago, I had the “pleasure” of reviewing an application written in ASP. Unfortunately, it had over 2000 SQL injections. I do not know what happened to the company, which produced legal case management software, but it would have taken a great deal of work to re-engineer the code to be safe. Why then, some six years later are injections still all the rage?

    Injections, are to put it in the simplest possible terms, are the simple result of intermingling instructions with potentially hostile user supplied data. This paradigm, although powerful, has failed. As Dr Phil says, “how’s that working for ya?”

    So we have to move on. Luckily, this post is not all bad.

    HTML injections

    It’s becoming increasingly hard to ensure that output is properly encoded, especially as I18N becomes more popular. Will encoding data to be XSS safe be viewable to non-US readers? Hard to say. I’ve been working with Benjamin Field (or more precisely, I farmed out) the re-implementing the Microsoft AntiXSS library API to PHP. This is nearly done. Once it is ready, we’ll make it available.

    However, I’m still worried as it’s not the simplest, default way to output. When the simplest way to output is wrong from a security stand point, mistakes will be made.

    SQL injections

    Seriously, we have the technology to stop these today. Both strongly typed parameterized queries (a.k.a bound statements) and most forms of ORMs and Active Record systems are SQL injection resistant. Stored procedures are mostly safe, but are at risk if a certain lack of care is demonstrated.

    LDAP injections

    Want to be someone else? It’s easy today. This is the great unexploited attack vector for *serious* applications. Toy apps don’t use LDAP, so most researchers do not concentrate on it. But you betchya that most large orgs and govt types have signed up for the “SSO magic bullet” and landed themselves with a LDAP shaped white elephant. They may not be even aware that they are running LDAP. It’s certainly not made clear in many of the marketing materials. How do architects who have never coded understand the risks?

    Today’s LDAP code are eerily reminiscent of the SQL days of yore. Here’s a typical LDAP login method (I have worse, but for this I’ve borrowed from php.net’s manual page):


    $ds = ldap_connect($ldaphost, $ldapport) or die(“Could not connect to $ldaphost”);

    if ($ds) {
    $username = “some_user”;
    $upasswd = “secret”;
    $binddn = “uid=$username,ou=people,dc=yourdomain,dc=com”;
    $ldapbind = ldap_bind($ds, $binddn, $upasswd);

    if ($ldapbind) {
    print “Congratulations! $username is authenticated.”;
    }
    else {
    print “Nice try, kid. Better luck next time!”;}
    }

    Yes, not only can you choose your location within the ldap tree, you can also do XSS if you’re clever.

    XML

    Don’t even get me started. Creating uninjectable XML functionality is a PhD in itself, and once it’s done, I doubt the resulting XML would be anywhere near as useful as it is today.

    Injections will continue to occur to why the USA still has pennies and $1 bills: they didn’t remove the old form from circulation. This is the only solution: ensure the safer solution is available by default (and is the easiest method to use), and remove the old unsafe methods. Make it HARD or IMPOSSIBLE to do it badly.

  • Patently evil

    Mark Curphey, a really smart guy I respect for his work founding OWASP and creating the first edition of the Guide, lost a goodly percentage of my respect today:

    I did some patent review work in Dallas recently. I traded my security consulting time to a company who in return provided their legal firms time for my patents. I have been living and breathing patent strategies for the last few weeks.

    One of our advisors sent me back comments to a provisional “elevator pitch” I put together. As always brilliant feedback and very valuable suggestions. Surround yourself with brilliant people and its hard to fail!

    As a customer of many companies, the thing I worry about the least is whether they’ve spent effort on things which add no value to me. I worry extensively about small companies that invest valuable time and money on worthless pursuits, such as patents or marketing when there’s no products to be had. Of course, this list is missing the vast majority of the real wasters.

    There is no point in investing in or buying into any company who burns valuable startup resources on worthless evil patents. Focus on beating your competition by simply being better than them or offering a unique service… and then do it again a little later so your competition still has to catch you. The world does not owe you a 17 year license to sit on your arse, milk consumers and stifle competition.

    Patents are evil on so many fronts, it’s hard to list them all. Here’s some that come to mind:

    • Money is wasted on patent lawyers. Patent lawyers are a pestilence on society. Sorry, Jeff, but I’m so glad you got out of that game
    • Patents add no value to the economy of ideas or the general economy. They produce no value to a nation’s GDP, but hold back competition and a natural market’s growth
    • Patents are an anticompetitive weapon to squish competition who came up with fundamentally the same idea as you but foolishly or bravely chose not to patent the patently obvious
    • Patents are not assets until they earn income by squishing the competition or milking other companies for licensing fees, milking the consumer or pure extortion cos they have no choice but to buy from a limited, stifled market. Patent battles are only useful after point (1) has wasted a six figure to seven figure sum for your average fight on worthless patent lawyers and mucky court battles.
    • Sooner or later, all the patentable ideas will have been patented (many patents already significantly overlap), and it’s just who has the most serious patent lawyers and deepest pockets who can dictate who can innovate or provide services.

    This is wrong. Imagine how many schools and hospitals could be built in third world countries for the value of the patent battles and licensing fees in the Valley alone. Patents are an insufferable evilness and must not be allowed to pass.

    Mark, there’s no point in trying to ensure you don’t fail, you’ve already failed for being the latest sucker to take the poisoned patent chalice. You founded OWASP on the basis of openness and inclusion in an industry notorious for its secretive and proprietary ways. Reconsider before joining the dark side.