Re: Witango-Talk: security issues and ARGS

Tue, 12 Sep 2006 08:55:06 -0700

you can truncate arguments before assigning to variables, You can also limit them to certain character sets, etc.
On forms that appear to be email front ends, I get lots of attempts to submit parts of raw emails in attempts to hijack smtp server to relay spam. 


they don't work, of course, but they do annoy. I sometimes put in  
detectors for the strings they use and then take them right to an  
error page. It keeps databases from being clogged with junk.




On Sep 11, 2006, at 11:45 AM, William M Conlon wrote:


Hi Janet,

1. You can't do anything to the args -- they are part of the  
environment for the request.  So like you, the first thing I do is  
assign them to vars.



2. Depends on the language -- in perl you can do a lot on 1 line,  
but in witango I use <@left> and then compare <@length> of arg with  
var.  To be honest, I usually turn this last check off unless it's  
important enough for me to be alerted to potential hacks.



3. Just be aware that there is a bug in <@BIND>  -- you CANNOT  
quote attributes within the meta!  Also, <@BIND doesn't work with  
BLOBs larger than 32k.  If you need to update or insert larger  
BLOBs you must use a SearchAction.



4.  I figure my time is more valuable than a hacker's, so I would  
rather use names that are meaningful to me.


bill


On Sep 11, 2006, at 10:52 AM, quicknote wrote:


Hi William

Wow! Thanks

I tend to use stored procedures (microsoft SQL server) so I assign  
the ARGS

to VARS.

I have not been using the BIND metatag, but I will definaelty get  
to work on

changing that.
So I can see some of the steps.
        1)      Assign the ARG to a VAR ( which I am already doing)

	2)	Use string function to define the length of the VAR and look  
for and

discard too long VARS.

		( I imagine here you would use an IF statement to STOP the  
current action

if a too-long or suspect VAR is created.

	3)	USe the BIND mettag when using the VAR so that I can make the  
datatype &

length  explicit.

*******Question*******
        How do you truncate an ARG, or do you do this is the ASSIGN action?
        How do you tell if an ARG has been truncated?
        I use the <@PURGE> tag for VARS how do get rid of suspect ARGS?

	Does the name of the ARG matter like  NAME=PASSWORD, should I  
make this

less obvious?


Thanks again for the reply with so much important information.

JAnet QSN


-----Original Message-----
From: William M Conlon [mailto:[EMAIL PROTECTED]
Sent: Monday, September 11, 2006 1:02 PM
To: [email protected]
Subject: Re: Witango-Talk: security issues and ARGS


Nothing's a stupid question when worried about hacking.

The most important things is to validate the args -- don't trust
anything!

Here's how I usually approach things:
1.  I explicitly use <@SEARCHARG> and <@POSTARG>.  In case someone is
looking for buffer overrun exploits by POSTing long arguments to your
search args.
2. I immediately truncating the arguments to the maximum length
allowed.  I also throw an error if anything was truncated, as this
indicates either a programming error, or an attempt to hack.
3. I validate the type (char, numeric, date, or in the case of radio/
checkbox to the list of permitted values).  I have a few others like
NANP (North American Numbering Plan) for phone numbers.  This helps
to reduce dbms errors.
4.  If you use DirectDBMS, then use <@BIND> or make sure any SQL
characters are escaped to avoid SQL injection attacks.
5.  I have a custom error page that looks nice, but doesn't disclose
any info to hackers.  The error handler also mails me the full error
trace (thanks, Scott).

On Sep 10, 2006, at 6:34 PM, quicknote wrote:



I don't know anything about hacking, so this might be stupid
question, but
here it goes.

In my  'enter.TAF' I use args names like password, userid, and  
then as

necessary  I assign them to variables with similar names.
Do hackers look for args & vars with these types of names?
Of course I keep these ARGS hidden and the site is encrypted etc,
but I was
just wondering if I should change the names of these args?

Janet Case, QSN


____________________________________________________________________ 
__

__
TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf


Bill

William M. Conlon, P.E., Ph.D.
To the Point
345 California Avenue Suite 2
Palo Alto, CA 94306
    vox:  650.327.2175 (direct)
    fax:  650.329.8335
mobile:  650.906.9929
e-mail:  mailto:[EMAIL PROTECTED]
    web:  http://www.tothept.com


_____________________________________________________________________ 
___

TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf


_____________________________________________________________________ 
___

TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf


Bill

William M. Conlon, P.E., Ph.D.
To the Point
345 California Avenue Suite 2
Palo Alto, CA 94306
   vox:  650.327.2175 (direct)
   fax:  650.329.8335
mobile:  650.906.9929
e-mail:  mailto:[EMAIL PROTECTED]
   web:  http://www.tothept.com


______________________________________________________________________ 
__

TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf



________________________________________________________________________
TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf






















					Reply via email to