Re: Breaking A Turbine App?

Wed, 31 May 2000 09:01:06 -0700 

Obviously, any Action should check to make sure the required permissions are
in place before doing anything else.  It is also important to take into
account what could be done by hacking on the query/pathinfo data as well.
But I don't think this is specific to Turbine.

A Screen should perform any security checks it requires and not assume they
have been done in an preceding Action.  If a Screen is showing sensitive
data (or even if it is not), it should be responsible for gathering the data
that it is going to display.  This will prevent a url hacker from using a
more permissive Screen to show the results of an Action  that was meant to
be shown by a more restrictive Screen.  (I have some thoughts on making a
general purpose Action that can be used to gather the data, but its use
would have to be thoughtfully considered.)

Finally, an Action can specify the Screen that is used for the response
overriding anything in the query/pi data.  If an Action and Screen are so
intertwined that there is no benefit to allowing the separation that comes
from specifying them separately, you should probably just set the Screen in
the Action, so that you can be sure of the integrity of the application.

John McNally

----- Original Message -----
From: dave bryson <[EMAIL PROTECTED]>
To: Turbine <[EMAIL PROTECTED]>
Sent: Wednesday, May 31, 2000 5:53 AM
Subject: Re: Breaking A Turbine App?


> On Wed, 31 May 2000, you wrote:
> > Hi,
> >
> > I was just thinking (I know, always dangerous...)
> >
> > Given the nature of a call to the Turbine servlet, someone could mix and
match the action screen calls maliciously -
.../action/ResetDB/screen/HomePage
>
> This is why you can also check security in the Action
> ( see the scheduler stuff ).
>
> But lets say they did have the proper permission and were malicious
> (then you'd know who they are when they login).  They would
> also have to pass the correct parameters to the Action etc... In other
> words, they would need to understand _how_ your application was
> working.  This is security through obscurity but it's still a speedbump.
>
> Nothing can be made completely secure.  But I think Turbine does a good
> job making it easy for a developer to make the app as secure as
> possible.
>
>  --
> dave
> [EMAIL PROTECTED]
> ----------------------
> Just your average Joe armed with an Emacs editor.
>
>
> ------------------------------------------------------------
> To subscribe:        [EMAIL PROTECTED]
> To unsubscribe:      [EMAIL PROTECTED]
> Problems?:           [EMAIL PROTECTED]



------------------------------------------------------------
To subscribe:        [EMAIL PROTECTED]
To unsubscribe:      [EMAIL PROTECTED]
Problems?:           [EMAIL PROTECTED]

Reply via email to