Hi Janet,
1. You can't do anything to the args -- they are part of the
environment for the request. So like you, the first thing I do is
assign them to vars.
2. Depends on the language -- in perl you can do a lot on 1 line, but
in witango I use <@left> and then compare <@length> of arg with var.
To be honest, I usually turn this last check off unless it's
important enough for me to be alerted to potential hacks.
3. Just be aware that there is a bug in <@BIND> -- you CANNOT quote
attributes within the meta! Also, <@BIND doesn't work with BLOBs
larger than 32k. If you need to update or insert larger BLOBs you
must use a SearchAction.
4. I figure my time is more valuable than a hacker's, so I would
rather use names that are meaningful to me.
bill
On Sep 11, 2006, at 10:52 AM, quicknote wrote:
Hi William
Wow! Thanks
I tend to use stored procedures (microsoft SQL server) so I assign
the ARGS
to VARS.
I have not been using the BIND metatag, but I will definaelty get
to work on
changing that.
So I can see some of the steps.
1) Assign the ARG to a VAR ( which I am already doing)
2) Use string function to define the length of the VAR and look
for and
discard too long VARS.
( I imagine here you would use an IF statement to STOP the
current action
if a too-long or suspect VAR is created.
3) USe the BIND mettag when using the VAR so that I can make the
datatype &
length explicit.
*******Question*******
How do you truncate an ARG, or do you do this is the ASSIGN action?
How do you tell if an ARG has been truncated?
I use the <@PURGE> tag for VARS how do get rid of suspect ARGS?
Does the name of the ARG matter like NAME=PASSWORD, should I make
this
less obvious?
Thanks again for the reply with so much important information.
JAnet QSN
-----Original Message-----
From: William M Conlon [mailto:[EMAIL PROTECTED]
Sent: Monday, September 11, 2006 1:02 PM
To: [email protected]
Subject: Re: Witango-Talk: security issues and ARGS
Nothing's a stupid question when worried about hacking.
The most important things is to validate the args -- don't trust
anything!
Here's how I usually approach things:
1. I explicitly use <@SEARCHARG> and <@POSTARG>. In case someone is
looking for buffer overrun exploits by POSTing long arguments to your
search args.
2. I immediately truncating the arguments to the maximum length
allowed. I also throw an error if anything was truncated, as this
indicates either a programming error, or an attempt to hack.
3. I validate the type (char, numeric, date, or in the case of radio/
checkbox to the list of permitted values). I have a few others like
NANP (North American Numbering Plan) for phone numbers. This helps
to reduce dbms errors.
4. If you use DirectDBMS, then use <@BIND> or make sure any SQL
characters are escaped to avoid SQL injection attacks.
5. I have a custom error page that looks nice, but doesn't disclose
any info to hackers. The error handler also mails me the full error
trace (thanks, Scott).
On Sep 10, 2006, at 6:34 PM, quicknote wrote:
I don't know anything about hacking, so this might be stupid
question, but
here it goes.
In my 'enter.TAF' I use args names like password, userid, and
then as
necessary I assign them to variables with similar names.
Do hackers look for args & vars with these types of names?
Of course I keep these ARGS hidden and the site is encrypted etc,
but I was
just wondering if I should change the names of these args?
Janet Case, QSN
_____________________________________________________________________
_
__
TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf
Bill
William M. Conlon, P.E., Ph.D.
To the Point
345 California Avenue Suite 2
Palo Alto, CA 94306
vox: 650.327.2175 (direct)
fax: 650.329.8335
mobile: 650.906.9929
e-mail: mailto:[EMAIL PROTECTED]
web: http://www.tothept.com
______________________________________________________________________
__
TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf
______________________________________________________________________
__
TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf
Bill
William M. Conlon, P.E., Ph.D.
To the Point
345 California Avenue Suite 2
Palo Alto, CA 94306
vox: 650.327.2175 (direct)
fax: 650.329.8335
mobile: 650.906.9929
e-mail: mailto:[EMAIL PROTECTED]
web: http://www.tothept.com
________________________________________________________________________
TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf
