Paco Hope wrote: > On 8/16/07 7:44 PM, "silky" <[EMAIL PROTECTED]> wrote: > > how is this different then sending malformed packets to an rpc interface? > ... > Now I'll gently disagree with Gary, who is my boss, so you know I'll hear > about it in the hallways... I think this feels more like "privilege > escalation" than "insider threat." The distinction being that these attacks > allow an authorized user who has liimited privileges to escalate their > privileges and do things that they shouldn't be able to do. An insider (to > me) is a person who already had that privilege and status when they started > their attack. (Read Kevin Wall's follow-up on darkreading.com he has good > things to say on who are insiders and outsiders). Where we are prone to > confusion, I think, is that outsiders or limited authorized users can have > the same IMPACT as an insider, when the privilege escalation is sufficiently > bad. > Gary has an interesting but fairly obvious idea, that AJAX clients are exceptionally vulnerable to the environment they run in. Said clients are also part of a distributed computing system between the AJAX client, the web front end, and whatever back-end systems are involved.
Is this an "insider" threat? Only if the people who coded the server were dumb enough to treat the AJAX client as if it were an insider component. Never do that. This is web security 101: always always always check your input parameters, and especially if they are coming from a web client. There is a risk here that AJAX developers will get confused, lazy, sloppy, about whether the AJAX client component is trusted or not. It is not clear to me yet whether the AJAX dev tools that are emerging make that mistake pervasive, or if it requires a special kind of stupid to make that mistake. Is this really an insider threat? I think that is stretching things, but not a huge amount. Gary also brings up references to his book on hacking games. Small-scale distributed games are the same as web apps; never trust the client. Large scale MMORP games (everything from World of Warcraft to Second Life) are economically mandated to shift as much computational burden onto the client as possible, and that entails inevitably trusting the clients more than security really can tolerate. Such games are inherently insecure; look for more hacking to occur. Read more about it in this Oakland 2007 paper, with an interesting solution to this problem: /Enforcing Semantic Integrity on Untrusted Clients in Networked Virtual Environments (Extended abstract)/ Somesh Jha, Stefan Katzenbeisser, Christian Schallhart, Helmut Veith and Stephen Chenney http://csdl2.computer.org/persagen/DLAbsToc.jsp?resourcePath=/dl/proceedings/&toc=comp/proceedings/sp/2007/2848/00/2848toc.xml&DOI=10.1109/SP.2007.3 Crispin -- Crispin Cowan, Ph.D. http://crispincowan.com/~crispin/ Director of Software Engineering http://novell.com AppArmor Chat: irc.oftc.net/#apparmor _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________