Re: [KCFusion] security question
Ok wait. I have not thought this all the way though I think. The kind of attack was thinking of was where a hostile user taped the stream mid flow. Somehow between the end user and the server. Since the pages are encrypted with https then they (the hostile) should not be able to do anything yes? An if the bandit has the users authentication information then there really is not much you can do no? You know for a meeting idea I'd really like to hear what the big boys are doing security wise. All the books I have the security is pretty lame and basic. A. - Original Message - From: Luke Templin To: [EMAIL PROTECTED] Sent: Tuesday, August 12, 2003 11:05 AM Subject: RE: [KCFusion] security question You may want to do everything through a stored procedure(s). As part of that stored procedure you could create multiple sql queries one of which can be an audit trail. Another way is to present the material to be deleted as a table with a checkbox for each row.Then have the user select each individual record. Pass the information to a cftag that does the delete. this reduces the opportunity for a user to randomly type anything in and allows you to implement a validation routine. Another item to explore is to use the https if security is a concern. Can't say I have experience with it but given your description that might be a method to investigate. -Original Message-From: Adaryl Wakefield [mailto:[EMAIL PROTECTED]Sent: Tuesday, August 12, 2003 10:54 AMTo: [EMAIL PROTECTED]Subject: Re: [KCFusion] security question Oh and just to elemenate confusion Im trying to come up with a SAFE method..not a save method. A. - Original Message - From: Adaryl Wakefield To: [EMAIL PROTECTED] Sent: Tuesday, August 12, 2003 10:48 AM Subject: Re: [KCFusion] security question Im sorry I was in a hurry and should have explained this better. For the first time I am faced with allowing users to delete info from a database. I am trying to come up with a save method for doing that. In other words I don't want people to just type random numbers in a query string and start erasing stuff. Most of the measures I have come up with so far are easily defeated. I had considered putting the primary key of the tuple to be deleted ina hidden form field but if you can alter the info sent in a post request (and I think I read somewhere that you could) then that measure is kinda lame too. the best I've got so far is that the user can only delete those tuples that are related to their login. A. - Original Message - From: Bruce Dunwiddie To: [EMAIL PROTECTED] Sent: Tuesday, August 12, 2003 11:33 AM Subject: RE: [KCFusion] security question I don't know of a way to say make IE send different request headers, but if you're trying to test something, wouldn't cfpost work? -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Adaryl WakefieldSent: Monday, August 11, 2003 1:44 PMTo: [EMAIL PROTECTED]Subject: [KCFusion] security question Is is possible to alter the information that is sent in the headers of a POST request? A.
Re: [KCFusion] security question
Im sorry I was in a hurry and should have explained this better. For the first time I am faced with allowing users to delete info from a database. I am trying to come up with a save method for doing that. In other words I don't want people to just type random numbers in a query string and start erasing stuff. Most of the measures I have come up with so far are easily defeated. I had considered putting the primary key of the tuple to be deleted ina hidden form field but if you can alter the info sent in a post request (and I think I read somewhere that you could) then that measure is kinda lame too. the best I've got so far is that the user can only delete those tuples that are related to their login. A. - Original Message - From: Bruce Dunwiddie To: [EMAIL PROTECTED] Sent: Tuesday, August 12, 2003 11:33 AM Subject: RE: [KCFusion] security question I don't know of a way to say make IE send different request headers, but if you're trying to test something, wouldn't cfpost work? -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Adaryl WakefieldSent: Monday, August 11, 2003 1:44 PMTo: [EMAIL PROTECTED]Subject: [KCFusion] security question Is is possible to alter the information that is sent in the headers of a POST request? A.
RE: [KCFusion] security question
Are you asking how this can be done, or just whether this can be done?Are you trying to alter your data, or just assure a customer that their data is safe? -Original Message-From: Bruce Dunwiddie [mailto:[EMAIL PROTECTED]Sent: Tuesday, August 12, 2003 11:34 AMTo: [EMAIL PROTECTED]Subject: RE: [KCFusion] security question I don't know of a way to say make IE send different request headers, but if you're trying to test something, wouldn't cfpost work? -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Adaryl WakefieldSent: Monday, August 11, 2003 1:44 PMTo: [EMAIL PROTECTED]Subject: [KCFusion] security question Is is possible to alter the information that is sent in the headers of a POST request? A.
RE: [KCFusion] security question
Well the checking in the database to make sure that the user is allowed to delete that record is a good step to leave in. As for the rest, I'd probably recommend passing an encrypted value of the record to delete along with the record id itself, so you can verify that they haven't just changed the id, and it won't matter if they can get access to the hidden encrypted value because they won't be able to submit the proper encrypted version to pass the validation. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Kory Bakken Sent: Tuesday, August 12, 2003 9:54 AM To: [EMAIL PROTECTED] Subject: RE: [KCFusion] security question Adaryl: Yes, if a person has IEBoster (http:// www.paessler.com/IEB http://www.paessler.com/IEB ) running on their machine, hidden form fields are just a right-click away. You'd be better off putting a ACTIVE field in any table that you are going to allow users to delete from. That could inactivate the record, then you could manually review the deletes before committing any of them. That's my 2 cents. Kory -Original Message- From: Adaryl Wakefield [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 12, 2003 10:48 AM To: [EMAIL PROTECTED] Subject: Re: [KCFusion] security question Im sorry I was in a hurry and should have explained this better. For the first time I am faced with allowing users to delete info from a database. I am trying to come up with a save method for doing that. In other words I don't want people to just type random numbers in a query string and start erasing stuff. Most of the measures I have come up with so far are easily defeated. I had considered putting the primary key of the tuple to be deleted in a hidden form field but if you can alter the info sent in a post request (and I think I read somewhere that you could) then that measure is kinda lame too. the best I've got so far is that the user can only delete those tuples that are related to their login. A. - Original Message - From: Bruce Dunwiddie mailto:[EMAIL PROTECTED] To: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] Sent: Tuesday, August 12, 2003 11:33 AM Subject: RE: [KCFusion] security question I don't know of a way to say make IE send different request headers, but if you're trying to test something, wouldn't cfpost work? -Original Message- From: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] [ mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] ]On Behalf Of Adaryl Wakefield Sent: Monday, August 11, 2003 1:44 PM To: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] Subject: [KCFusion] security question Is is possible to alter the information that is sent in the headers of a POST request? A. attachment: winmail.dat
RE: [KCFusion] security question
I don't know of a way to say make IE send different request headers, but if you're trying to test something, wouldn't cfpost work? -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Adaryl WakefieldSent: Monday, August 11, 2003 1:44 PMTo: [EMAIL PROTECTED]Subject: [KCFusion] security question Is is possible to alter the information that is sent in the headers of a POST request? A.
RE: [KCFusion] security question
You may want to do everything through a stored procedure(s). As part of that stored procedure you could create multiple sql queries one of which can be an audit trail. Another way is to present the material to be deleted as a table with a checkbox for each row.Then have the user select each individual record. Pass the information to a cftag that does the delete. this reduces the opportunity for a user to randomly type anything in and allows you to implement a validation routine. Another item to explore is to use the https if security is a concern. Can't say I have experience with it but given your description that might be a method to investigate. -Original Message-From: Adaryl Wakefield [mailto:[EMAIL PROTECTED]Sent: Tuesday, August 12, 2003 10:54 AMTo: [EMAIL PROTECTED]Subject: Re: [KCFusion] security question Oh and just to elemenate confusion Im trying to come up with a SAFE method..not a save method. A. - Original Message - From: Adaryl Wakefield To: [EMAIL PROTECTED] Sent: Tuesday, August 12, 2003 10:48 AM Subject: Re: [KCFusion] security question Im sorry I was in a hurry and should have explained this better. For the first time I am faced with allowing users to delete info from a database. I am trying to come up with a save method for doing that. In other words I don't want people to just type random numbers in a query string and start erasing stuff. Most of the measures I have come up with so far are easily defeated. I had considered putting the primary key of the tuple to be deleted ina hidden form field but if you can alter the info sent in a post request (and I think I read somewhere that you could) then that measure is kinda lame too. the best I've got so far is that the user can only delete those tuples that are related to their login. A. - Original Message - From: Bruce Dunwiddie To: [EMAIL PROTECTED] Sent: Tuesday, August 12, 2003 11:33 AM Subject: RE: [KCFusion] security question I don't know of a way to say make IE send different request headers, but if you're trying to test something, wouldn't cfpost work? -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Adaryl WakefieldSent: Monday, August 11, 2003 1:44 PMTo: [EMAIL PROTECTED]Subject: [KCFusion] security question Is is possible to alter the information that is sent in the headers of a POST request? A.
RE: [KCFusion] security question
Adaryl:
Yes,if a person has IEBoster (http://www.paessler.com/IEB)running
on their machine, hidden form fields are just a right-click away. You'd be
better off putting a "ACTIVE" field in any table that you are going to allow
users to delete from. That could inactivate the record, then you could
manually review the deletes before committing any of them. That's my 2
cents.
Kory
-Original Message-From: Adaryl Wakefield
[mailto:[EMAIL PROTECTED]Sent: Tuesday, August 12, 2003 10:48
AMTo: [EMAIL PROTECTED]Subject: Re: [KCFusion]
security question
Im sorry I was in a hurry and should have
explained this better. For the first time I am faced with allowing users to
delete info from a database. I am trying to come up with a save method for
doing that. In other words I don't want people to just type random numbers in
a query string and start erasing stuff. Most of the measures I have come up
with so far are easily defeated. I had considered putting the primary key of
the tuple to be deleted ina hidden form field but if you can alter the
info sent in a post request (and I think I read somewhere that you could) then
that measure is kinda lame too. the best I've got so far is that the user can
only delete those tuples that are related to their login.
A.
- Original Message -
From:
Bruce Dunwiddie
To: [EMAIL PROTECTED]
Sent: Tuesday, August 12, 2003 11:33
AM
Subject: RE: [KCFusion] security
question
I
don't know of a way to say make IE send different request headers, but if
you're trying to test something, wouldn't cfpost work?
-Original Message-From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On
Behalf Of Adaryl WakefieldSent: Monday, August 11, 2003
1:44 PMTo: [EMAIL PROTECTED]Subject:
[KCFusion] security question
Is is possible to alter the information that
is sent in the headers of a POST request?
A.
Re: [KCFusion] security question
Oh and just to elemenate confusion Im trying to come up with a SAFE method..not a save method. A. - Original Message - From: Adaryl Wakefield To: [EMAIL PROTECTED] Sent: Tuesday, August 12, 2003 10:48 AM Subject: Re: [KCFusion] security question Im sorry I was in a hurry and should have explained this better. For the first time I am faced with allowing users to delete info from a database. I am trying to come up with a save method for doing that. In other words I don't want people to just type random numbers in a query string and start erasing stuff. Most of the measures I have come up with so far are easily defeated. I had considered putting the primary key of the tuple to be deleted ina hidden form field but if you can alter the info sent in a post request (and I think I read somewhere that you could) then that measure is kinda lame too. the best I've got so far is that the user can only delete those tuples that are related to their login. A. - Original Message - From: Bruce Dunwiddie To: [EMAIL PROTECTED] Sent: Tuesday, August 12, 2003 11:33 AM Subject: RE: [KCFusion] security question I don't know of a way to say make IE send different request headers, but if you're trying to test something, wouldn't cfpost work? -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Adaryl WakefieldSent: Monday, August 11, 2003 1:44 PMTo: [EMAIL PROTECTED]Subject: [KCFusion] security question Is is possible to alter the information that is sent in the headers of a POST request? A.
RE: [KCFusion] security question
Yes, https will basically eliminate the possibility of someone in the middle doing a malicious attack, but the best thing is to secure all the layers seperately, so if someone does get past what you might think would be the https secure layer, there's still other measures in place to catch them. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Adaryl WakefieldSent: Tuesday, August 12, 2003 10:24 AMTo: [EMAIL PROTECTED]Subject: Re: [KCFusion] security question Ok wait. I have not thought this all the way though I think. The kind of attack was thinking of was where a hostile user taped the stream mid flow. Somehow between the end user and the server. Since the pages are encrypted with https then they (the hostile) should not be able to do anything yes? An if the bandit has the users authentication information then there really is not much you can do no? You know for a meeting idea I'd really like to hear what the big boys are doing security wise. All the books I have the security is pretty lame and basic. A. - Original Message - From: Luke Templin To: [EMAIL PROTECTED] Sent: Tuesday, August 12, 2003 11:05 AM Subject: RE: [KCFusion] security question You may want to do everything through a stored procedure(s). As part of that stored procedure you could create multiple sql queries one of which can be an audit trail. Another way is to present the material to be deleted as a table with a checkbox for each row.Then have the user select each individual record. Pass the information to a cftag that does the delete. this reduces the opportunity for a user to randomly type anything in and allows you to implement a validation routine. Another item to explore is to use the https if security is a concern. Can't say I have experience with it but given your description that might be a method to investigate. -Original Message-From: Adaryl Wakefield [mailto:[EMAIL PROTECTED]Sent: Tuesday, August 12, 2003 10:54 AMTo: [EMAIL PROTECTED]Subject: Re: [KCFusion] security question Oh and just to elemenate confusion Im trying to come up with a SAFE method..not a save method. A. - Original Message - From: Adaryl Wakefield To: [EMAIL PROTECTED] Sent: Tuesday, August 12, 2003 10:48 AM Subject: Re: [KCFusion] security question Im sorry I was in a hurry and should have explained this better. For the first time I am faced with allowing users to delete info from a database. I am trying to come up with a save method for doing that. In other words I don't want people to just type random numbers in a query string and start erasing stuff. Most of the measures I have come up with so far are easily defeated. I had considered putting the primary key of the tuple to be deleted ina hidden form field but if you can alter the info sent in a post request (and I think I read somewhere that you could) then that measure is kinda lame too. the best I've got so far is that the user can only delete those tuples that are related to their login. A. - Original Message - From: Bruce Dunwiddie To: [EMAIL PROTECTED] Sent: Tuesday, August 12, 2003 11:33 AM Subject: RE: [KCFusion] security question I don't know of a way to say make IE send different request headers, but if you're trying to test something, wouldn't cfpost work? -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Adaryl WakefieldSent: Monday, August 11, 2003 1:44 PMTo: [EMAIL PROTECTED]Subject: [KCFusion] security question Is is possible to alter the information that is sent in the headers of a POST request? A.
Re: [KCFusion] security question
Thats what I thought. Manually deleteing them does
not exactly bring a smile to my face but it is feasable for us. But what about
larger companies with like a gazillion records. Unless your telling me that they
just have tons of minimum wage people that all they do all day is delete
records.
A.
- Original Message -
From:
Kory Bakken
To: [EMAIL PROTECTED]
Sent: Tuesday, August 12, 2003 10:54
AM
Subject: RE: [KCFusion] security
question
Adaryl:
Yes,if a person has IEBoster (http://www.paessler.com/IEB)running
on their machine, hidden form fields are just a right-click away. You'd
be better off putting a "ACTIVE" field in any table that you are going to
allow users to delete from. That could inactivate the record, then you
could manually review the deletes before committing any of them. That's
my 2 cents.
Kory
-Original Message-From: Adaryl Wakefield
[mailto:[EMAIL PROTECTED]Sent: Tuesday, August 12, 2003 10:48
AMTo: [EMAIL PROTECTED]Subject: Re: [KCFusion]
security question
Im sorry I was in a hurry and should have
explained this better. For the first time I am faced with allowing users to
delete info from a database. I am trying to come up with a save method for
doing that. In other words I don't want people to just type random numbers
in a query string and start erasing stuff. Most of the measures I have come
up with so far are easily defeated. I had considered putting the primary key
of the tuple to be deleted ina hidden form field but if you can alter
the info sent in a post request (and I think I read somewhere that you
could) then that measure is kinda lame too. the best I've got so far is that
the user can only delete those tuples that are related to their
login.
A.
- Original Message -
From:
Bruce Dunwiddie
To: [EMAIL PROTECTED]
Sent: Tuesday, August 12, 2003 11:33
AM
Subject: RE: [KCFusion] security
question
I don't know of a way to say make IE send different request
headers, but if you're trying to test something, wouldn't cfpost
work?
-Original Message-From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On
Behalf Of Adaryl WakefieldSent: Monday, August 11, 2003
1:44 PMTo: [EMAIL PROTECTED]Subject:
[KCFusion] security question
Is is possible to alter the information
that is sent in the headers of a POST request?
A.
Re: [KCFusion] security question
Thats where I started. I was doing it via java script so I could ask the
user if they really wanted to delete. But when I passed the function the
encrypted value it did not like it for some reason. It was rendered all
funny. The function looks like this
script language=JavaScript
function check(entry){
if (confirm(This will delete this entry. Proceed?)){
document.location = foo.cfm?entry= + entry;
}
else{}
}
/script
Then I would call it with
a href=javascript:check(#Encrypt(primaryKey, 'notTheRealKey')#Delete/a
Which in turn comes out as
a href=javascript:check((%WEDelete/a
Totally breaks my code.
A.
- Original Message -
From: Bruce Dunwiddie [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Tuesday, August 12, 2003 11:57 AM
Subject: RE: [KCFusion] security question
Well the checking in the database to make sure that the user is allowed to
delete that record is a good step to leave in. As for the rest, I'd
probably
recommend passing an encrypted value of the record to delete along with
the
record id itself, so you can verify that they haven't just changed the id,
and it won't matter if they can get access to the hidden encrypted value
because they won't be able to submit the proper encrypted version to pass
the validation.
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Behalf Of Kory Bakken
Sent: Tuesday, August 12, 2003 9:54 AM
To: [EMAIL PROTECTED]
Subject: RE: [KCFusion] security question
Adaryl:
Yes, if a person has IEBoster (http:// www.paessler.com/IEB
http://www.paessler.com/IEB ) running on their machine, hidden form
fields are just a right-click away. You'd be better off putting a
ACTIVE
field in any table that you are going to allow users to delete from. That
could inactivate the record, then you could manually review the deletes
before committing any of them. That's my 2 cents.
Kory
-Original Message-
From: Adaryl Wakefield [mailto:[EMAIL PROTECTED]
Sent: Tuesday, August 12, 2003 10:48 AM
To: [EMAIL PROTECTED]
Subject: Re: [KCFusion] security question
Im sorry I was in a hurry and should have explained this better. For the
first time I am faced with allowing users to delete info from a database.
I
am trying to come up with a save method for doing that. In other words I
don't want people to just type random numbers in a query string and start
erasing stuff. Most of the measures I have come up with so far are easily
defeated. I had considered putting the primary key of the tuple to be
deleted in a hidden form field but if you can alter the info sent in a
post
request (and I think I read somewhere that you could) then that measure is
kinda lame too. the best I've got so far is that the user can only delete
those tuples that are related to their login.
A.
- Original Message -
From: Bruce Dunwiddie mailto:[EMAIL PROTECTED]
To: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]
Sent: Tuesday, August 12, 2003 11:33 AM
Subject: RE: [KCFusion] security question
I don't know of a way to say make IE send different request headers, but
if
you're trying to test something, wouldn't cfpost work?
-Original Message-
From: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] [
mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] ]On
Behalf Of Adaryl Wakefield
Sent: Monday, August 11, 2003 1:44 PM
To: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]
Subject: [KCFusion] security question
Is is possible to alter the information that is sent in the headers of a
POST request?
A.
__
The KCFusion.org list and website is hosted by Humankind Systems, Inc.
List Archives http://www.mail-archive.com/[EMAIL PROTECTED]
Questions, Comments or Glowing Praise.. mailto:[EMAIL PROTECTED]
To Subscribe mailto:[EMAIL PROTECTED]
To Unsubscribe mailto:[EMAIL PROTECTED]
