Re: [KCFusion] security question
Ok wait. I have not thought this all the way though I think. The kind of attack was thinking of was where a hostile user taped the stream mid flow. Somehow between the end user and the server. Since the pages are encrypted with https then they (the hostile) should not be able to do anything yes? An if the bandit has the users authentication information then there really is not much you can do no? You know for a meeting idea I'd really like to hear what the big boys are doing security wise. All the books I have the security is pretty lame and basic. A. - Original Message - From: Luke Templin To: [EMAIL PROTECTED] Sent: Tuesday, August 12, 2003 11:05 AM Subject: RE: [KCFusion] security question You may want to do everything through a stored procedure(s). As part of that stored procedure you could create multiple sql queries one of which can be an audit trail. Another way is to present the material to be deleted as a table with a checkbox for each row.Then have the user select each individual record. Pass the information to a cftag that does the delete. this reduces the opportunity for a user to randomly type anything in and allows you to implement a validation routine. Another item to explore is to use the https if security is a concern. Can't say I have experience with it but given your description that might be a method to investigate. -Original Message-From: Adaryl Wakefield [mailto:[EMAIL PROTECTED]Sent: Tuesday, August 12, 2003 10:54 AMTo: [EMAIL PROTECTED]Subject: Re: [KCFusion] security question Oh and just to elemenate confusion Im trying to come up with a SAFE method..not a save method. A. - Original Message - From: Adaryl Wakefield To: [EMAIL PROTECTED] Sent: Tuesday, August 12, 2003 10:48 AM Subject: Re: [KCFusion] security question Im sorry I was in a hurry and should have explained this better. For the first time I am faced with allowing users to delete info from a database. I am trying to come up with a save method for doing that. In other words I don't want people to just type random numbers in a query string and start erasing stuff. Most of the measures I have come up with so far are easily defeated. I had considered putting the primary key of the tuple to be deleted ina hidden form field but if you can alter the info sent in a post request (and I think I read somewhere that you could) then that measure is kinda lame too. the best I've got so far is that the user can only delete those tuples that are related to their login. A. - Original Message - From: Bruce Dunwiddie To: [EMAIL PROTECTED] Sent: Tuesday, August 12, 2003 11:33 AM Subject: RE: [KCFusion] security question I don't know of a way to say make IE send different request headers, but if you're trying to test something, wouldn't cfpost work? -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Adaryl WakefieldSent: Monday, August 11, 2003 1:44 PMTo: [EMAIL PROTECTED]Subject: [KCFusion] security question Is is possible to alter the information that is sent in the headers of a POST request? A.
Re: [KCFusion] security question
Im sorry I was in a hurry and should have explained this better. For the first time I am faced with allowing users to delete info from a database. I am trying to come up with a save method for doing that. In other words I don't want people to just type random numbers in a query string and start erasing stuff. Most of the measures I have come up with so far are easily defeated. I had considered putting the primary key of the tuple to be deleted ina hidden form field but if you can alter the info sent in a post request (and I think I read somewhere that you could) then that measure is kinda lame too. the best I've got so far is that the user can only delete those tuples that are related to their login. A. - Original Message - From: Bruce Dunwiddie To: [EMAIL PROTECTED] Sent: Tuesday, August 12, 2003 11:33 AM Subject: RE: [KCFusion] security question I don't know of a way to say make IE send different request headers, but if you're trying to test something, wouldn't cfpost work? -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Adaryl WakefieldSent: Monday, August 11, 2003 1:44 PMTo: [EMAIL PROTECTED]Subject: [KCFusion] security question Is is possible to alter the information that is sent in the headers of a POST request? A.
RE: [KCFusion] security question
Are you asking how this can be done, or just whether this can be done?Are you trying to alter your data, or just assure a customer that their data is safe? -Original Message-From: Bruce Dunwiddie [mailto:[EMAIL PROTECTED]Sent: Tuesday, August 12, 2003 11:34 AMTo: [EMAIL PROTECTED]Subject: RE: [KCFusion] security question I don't know of a way to say make IE send different request headers, but if you're trying to test something, wouldn't cfpost work? -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Adaryl WakefieldSent: Monday, August 11, 2003 1:44 PMTo: [EMAIL PROTECTED]Subject: [KCFusion] security question Is is possible to alter the information that is sent in the headers of a POST request? A.
RE: [KCFusion] security question
Well the checking in the database to make sure that the user is allowed to delete that record is a good step to leave in. As for the rest, I'd probably recommend passing an encrypted value of the record to delete along with the record id itself, so you can verify that they haven't just changed the id, and it won't matter if they can get access to the hidden encrypted value because they won't be able to submit the proper encrypted version to pass the validation. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Kory Bakken Sent: Tuesday, August 12, 2003 9:54 AM To: [EMAIL PROTECTED] Subject: RE: [KCFusion] security question Adaryl: Yes, if a person has IEBoster (http:// www.paessler.com/IEB http://www.paessler.com/IEB ) running on their machine, hidden form fields are just a right-click away. You'd be better off putting a ACTIVE field in any table that you are going to allow users to delete from. That could inactivate the record, then you could manually review the deletes before committing any of them. That's my 2 cents. Kory -Original Message- From: Adaryl Wakefield [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 12, 2003 10:48 AM To: [EMAIL PROTECTED] Subject: Re: [KCFusion] security question Im sorry I was in a hurry and should have explained this better. For the first time I am faced with allowing users to delete info from a database. I am trying to come up with a save method for doing that. In other words I don't want people to just type random numbers in a query string and start erasing stuff. Most of the measures I have come up with so far are easily defeated. I had considered putting the primary key of the tuple to be deleted in a hidden form field but if you can alter the info sent in a post request (and I think I read somewhere that you could) then that measure is kinda lame too. the best I've got so far is that the user can only delete those tuples that are related to their login. A. - Original Message - From: Bruce Dunwiddie mailto:[EMAIL PROTECTED] To: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] Sent: Tuesday, August 12, 2003 11:33 AM Subject: RE: [KCFusion] security question I don't know of a way to say make IE send different request headers, but if you're trying to test something, wouldn't cfpost work? -Original Message- From: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] [ mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] ]On Behalf Of Adaryl Wakefield Sent: Monday, August 11, 2003 1:44 PM To: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] Subject: [KCFusion] security question Is is possible to alter the information that is sent in the headers of a POST request? A. attachment: winmail.dat
RE: [KCFusion] security question
I don't know of a way to say make IE send different request headers, but if you're trying to test something, wouldn't cfpost work? -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Adaryl WakefieldSent: Monday, August 11, 2003 1:44 PMTo: [EMAIL PROTECTED]Subject: [KCFusion] security question Is is possible to alter the information that is sent in the headers of a POST request? A.
RE: [KCFusion] security question
You may want to do everything through a stored procedure(s). As part of that stored procedure you could create multiple sql queries one of which can be an audit trail. Another way is to present the material to be deleted as a table with a checkbox for each row.Then have the user select each individual record. Pass the information to a cftag that does the delete. this reduces the opportunity for a user to randomly type anything in and allows you to implement a validation routine. Another item to explore is to use the https if security is a concern. Can't say I have experience with it but given your description that might be a method to investigate. -Original Message-From: Adaryl Wakefield [mailto:[EMAIL PROTECTED]Sent: Tuesday, August 12, 2003 10:54 AMTo: [EMAIL PROTECTED]Subject: Re: [KCFusion] security question Oh and just to elemenate confusion Im trying to come up with a SAFE method..not a save method. A. - Original Message - From: Adaryl Wakefield To: [EMAIL PROTECTED] Sent: Tuesday, August 12, 2003 10:48 AM Subject: Re: [KCFusion] security question Im sorry I was in a hurry and should have explained this better. For the first time I am faced with allowing users to delete info from a database. I am trying to come up with a save method for doing that. In other words I don't want people to just type random numbers in a query string and start erasing stuff. Most of the measures I have come up with so far are easily defeated. I had considered putting the primary key of the tuple to be deleted ina hidden form field but if you can alter the info sent in a post request (and I think I read somewhere that you could) then that measure is kinda lame too. the best I've got so far is that the user can only delete those tuples that are related to their login. A. - Original Message - From: Bruce Dunwiddie To: [EMAIL PROTECTED] Sent: Tuesday, August 12, 2003 11:33 AM Subject: RE: [KCFusion] security question I don't know of a way to say make IE send different request headers, but if you're trying to test something, wouldn't cfpost work? -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Adaryl WakefieldSent: Monday, August 11, 2003 1:44 PMTo: [EMAIL PROTECTED]Subject: [KCFusion] security question Is is possible to alter the information that is sent in the headers of a POST request? A.
RE: [KCFusion] security question
Adaryl: Yes,if a person has IEBoster (http://www.paessler.com/IEB)running on their machine, hidden form fields are just a right-click away. You'd be better off putting a "ACTIVE" field in any table that you are going to allow users to delete from. That could inactivate the record, then you could manually review the deletes before committing any of them. That's my 2 cents. Kory -Original Message-From: Adaryl Wakefield [mailto:[EMAIL PROTECTED]Sent: Tuesday, August 12, 2003 10:48 AMTo: [EMAIL PROTECTED]Subject: Re: [KCFusion] security question Im sorry I was in a hurry and should have explained this better. For the first time I am faced with allowing users to delete info from a database. I am trying to come up with a save method for doing that. In other words I don't want people to just type random numbers in a query string and start erasing stuff. Most of the measures I have come up with so far are easily defeated. I had considered putting the primary key of the tuple to be deleted ina hidden form field but if you can alter the info sent in a post request (and I think I read somewhere that you could) then that measure is kinda lame too. the best I've got so far is that the user can only delete those tuples that are related to their login. A. - Original Message - From: Bruce Dunwiddie To: [EMAIL PROTECTED] Sent: Tuesday, August 12, 2003 11:33 AM Subject: RE: [KCFusion] security question I don't know of a way to say make IE send different request headers, but if you're trying to test something, wouldn't cfpost work? -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Adaryl WakefieldSent: Monday, August 11, 2003 1:44 PMTo: [EMAIL PROTECTED]Subject: [KCFusion] security question Is is possible to alter the information that is sent in the headers of a POST request? A.
Re: [KCFusion] security question
Oh and just to elemenate confusion Im trying to come up with a SAFE method..not a save method. A. - Original Message - From: Adaryl Wakefield To: [EMAIL PROTECTED] Sent: Tuesday, August 12, 2003 10:48 AM Subject: Re: [KCFusion] security question Im sorry I was in a hurry and should have explained this better. For the first time I am faced with allowing users to delete info from a database. I am trying to come up with a save method for doing that. In other words I don't want people to just type random numbers in a query string and start erasing stuff. Most of the measures I have come up with so far are easily defeated. I had considered putting the primary key of the tuple to be deleted ina hidden form field but if you can alter the info sent in a post request (and I think I read somewhere that you could) then that measure is kinda lame too. the best I've got so far is that the user can only delete those tuples that are related to their login. A. - Original Message - From: Bruce Dunwiddie To: [EMAIL PROTECTED] Sent: Tuesday, August 12, 2003 11:33 AM Subject: RE: [KCFusion] security question I don't know of a way to say make IE send different request headers, but if you're trying to test something, wouldn't cfpost work? -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Adaryl WakefieldSent: Monday, August 11, 2003 1:44 PMTo: [EMAIL PROTECTED]Subject: [KCFusion] security question Is is possible to alter the information that is sent in the headers of a POST request? A.
RE: [KCFusion] security question
Yes, https will basically eliminate the possibility of someone in the middle doing a malicious attack, but the best thing is to secure all the layers seperately, so if someone does get past what you might think would be the https secure layer, there's still other measures in place to catch them. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Adaryl WakefieldSent: Tuesday, August 12, 2003 10:24 AMTo: [EMAIL PROTECTED]Subject: Re: [KCFusion] security question Ok wait. I have not thought this all the way though I think. The kind of attack was thinking of was where a hostile user taped the stream mid flow. Somehow between the end user and the server. Since the pages are encrypted with https then they (the hostile) should not be able to do anything yes? An if the bandit has the users authentication information then there really is not much you can do no? You know for a meeting idea I'd really like to hear what the big boys are doing security wise. All the books I have the security is pretty lame and basic. A. - Original Message - From: Luke Templin To: [EMAIL PROTECTED] Sent: Tuesday, August 12, 2003 11:05 AM Subject: RE: [KCFusion] security question You may want to do everything through a stored procedure(s). As part of that stored procedure you could create multiple sql queries one of which can be an audit trail. Another way is to present the material to be deleted as a table with a checkbox for each row.Then have the user select each individual record. Pass the information to a cftag that does the delete. this reduces the opportunity for a user to randomly type anything in and allows you to implement a validation routine. Another item to explore is to use the https if security is a concern. Can't say I have experience with it but given your description that might be a method to investigate. -Original Message-From: Adaryl Wakefield [mailto:[EMAIL PROTECTED]Sent: Tuesday, August 12, 2003 10:54 AMTo: [EMAIL PROTECTED]Subject: Re: [KCFusion] security question Oh and just to elemenate confusion Im trying to come up with a SAFE method..not a save method. A. - Original Message - From: Adaryl Wakefield To: [EMAIL PROTECTED] Sent: Tuesday, August 12, 2003 10:48 AM Subject: Re: [KCFusion] security question Im sorry I was in a hurry and should have explained this better. For the first time I am faced with allowing users to delete info from a database. I am trying to come up with a save method for doing that. In other words I don't want people to just type random numbers in a query string and start erasing stuff. Most of the measures I have come up with so far are easily defeated. I had considered putting the primary key of the tuple to be deleted ina hidden form field but if you can alter the info sent in a post request (and I think I read somewhere that you could) then that measure is kinda lame too. the best I've got so far is that the user can only delete those tuples that are related to their login. A. - Original Message - From: Bruce Dunwiddie To: [EMAIL PROTECTED] Sent: Tuesday, August 12, 2003 11:33 AM Subject: RE: [KCFusion] security question I don't know of a way to say make IE send different request headers, but if you're trying to test something, wouldn't cfpost work? -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Adaryl WakefieldSent: Monday, August 11, 2003 1:44 PMTo: [EMAIL PROTECTED]Subject: [KCFusion] security question Is is possible to alter the information that is sent in the headers of a POST request? A.
Re: [KCFusion] security question
Thats what I thought. Manually deleteing them does not exactly bring a smile to my face but it is feasable for us. But what about larger companies with like a gazillion records. Unless your telling me that they just have tons of minimum wage people that all they do all day is delete records. A. - Original Message - From: Kory Bakken To: [EMAIL PROTECTED] Sent: Tuesday, August 12, 2003 10:54 AM Subject: RE: [KCFusion] security question Adaryl: Yes,if a person has IEBoster (http://www.paessler.com/IEB)running on their machine, hidden form fields are just a right-click away. You'd be better off putting a "ACTIVE" field in any table that you are going to allow users to delete from. That could inactivate the record, then you could manually review the deletes before committing any of them. That's my 2 cents. Kory -Original Message-From: Adaryl Wakefield [mailto:[EMAIL PROTECTED]Sent: Tuesday, August 12, 2003 10:48 AMTo: [EMAIL PROTECTED]Subject: Re: [KCFusion] security question Im sorry I was in a hurry and should have explained this better. For the first time I am faced with allowing users to delete info from a database. I am trying to come up with a save method for doing that. In other words I don't want people to just type random numbers in a query string and start erasing stuff. Most of the measures I have come up with so far are easily defeated. I had considered putting the primary key of the tuple to be deleted ina hidden form field but if you can alter the info sent in a post request (and I think I read somewhere that you could) then that measure is kinda lame too. the best I've got so far is that the user can only delete those tuples that are related to their login. A. - Original Message - From: Bruce Dunwiddie To: [EMAIL PROTECTED] Sent: Tuesday, August 12, 2003 11:33 AM Subject: RE: [KCFusion] security question I don't know of a way to say make IE send different request headers, but if you're trying to test something, wouldn't cfpost work? -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Adaryl WakefieldSent: Monday, August 11, 2003 1:44 PMTo: [EMAIL PROTECTED]Subject: [KCFusion] security question Is is possible to alter the information that is sent in the headers of a POST request? A.
Re: [KCFusion] security question
Thats where I started. I was doing it via java script so I could ask the user if they really wanted to delete. But when I passed the function the encrypted value it did not like it for some reason. It was rendered all funny. The function looks like this script language=JavaScript function check(entry){ if (confirm(This will delete this entry. Proceed?)){ document.location = foo.cfm?entry= + entry; } else{} } /script Then I would call it with a href=javascript:check(#Encrypt(primaryKey, 'notTheRealKey')#Delete/a Which in turn comes out as a href=javascript:check((%WEDelete/a Totally breaks my code. A. - Original Message - From: Bruce Dunwiddie [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, August 12, 2003 11:57 AM Subject: RE: [KCFusion] security question Well the checking in the database to make sure that the user is allowed to delete that record is a good step to leave in. As for the rest, I'd probably recommend passing an encrypted value of the record to delete along with the record id itself, so you can verify that they haven't just changed the id, and it won't matter if they can get access to the hidden encrypted value because they won't be able to submit the proper encrypted version to pass the validation. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Kory Bakken Sent: Tuesday, August 12, 2003 9:54 AM To: [EMAIL PROTECTED] Subject: RE: [KCFusion] security question Adaryl: Yes, if a person has IEBoster (http:// www.paessler.com/IEB http://www.paessler.com/IEB ) running on their machine, hidden form fields are just a right-click away. You'd be better off putting a ACTIVE field in any table that you are going to allow users to delete from. That could inactivate the record, then you could manually review the deletes before committing any of them. That's my 2 cents. Kory -Original Message- From: Adaryl Wakefield [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 12, 2003 10:48 AM To: [EMAIL PROTECTED] Subject: Re: [KCFusion] security question Im sorry I was in a hurry and should have explained this better. For the first time I am faced with allowing users to delete info from a database. I am trying to come up with a save method for doing that. In other words I don't want people to just type random numbers in a query string and start erasing stuff. Most of the measures I have come up with so far are easily defeated. I had considered putting the primary key of the tuple to be deleted in a hidden form field but if you can alter the info sent in a post request (and I think I read somewhere that you could) then that measure is kinda lame too. the best I've got so far is that the user can only delete those tuples that are related to their login. A. - Original Message - From: Bruce Dunwiddie mailto:[EMAIL PROTECTED] To: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] Sent: Tuesday, August 12, 2003 11:33 AM Subject: RE: [KCFusion] security question I don't know of a way to say make IE send different request headers, but if you're trying to test something, wouldn't cfpost work? -Original Message- From: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] [ mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] ]On Behalf Of Adaryl Wakefield Sent: Monday, August 11, 2003 1:44 PM To: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] Subject: [KCFusion] security question Is is possible to alter the information that is sent in the headers of a POST request? A. __ The KCFusion.org list and website is hosted by Humankind Systems, Inc. List Archives http://www.mail-archive.com/[EMAIL PROTECTED] Questions, Comments or Glowing Praise.. mailto:[EMAIL PROTECTED] To Subscribe mailto:[EMAIL PROTECTED] To Unsubscribe mailto:[EMAIL PROTECTED]