Just a rant
-
currently working with younger programmers. they are very technically skilled and hardworking.
but, I notice the same problem with all companies I have been working in - almost non-existent data validation !
For example WebAPI : GetOrder(int id) , any tom dick and harry can basically view orders from any other users.
Why? These things not taught at college?
-
int id
But there's no way anyone could guess someone else's sequentially assigned order id, right?
-
it's not impossible. UpdateOrder, DeleteOrder. And let's say, only certain fields can be updated, it's only checked in client-side Javascript. at the backend, there's NO checking !
-
almost non-existent data validation !
Where is the fun in all this If you don't do shit like this from time to time ? Why is everyone so serious these days ?
-
That's credential validation.
In one of my previous job, when designing webservice for external website to call, I told them they should create a LoginUser method that returns a ticket (GUID), and any subsequent calls to other service must attach the ticket to validate the identity, and they also questioned "why?".
Data validation (like how to validate the range or foreign key etc. are taught in school, credential validation... I think not. At least not when I was studying there.
Then again things like SQL injection which was uncommon at that time were not taught too.
-
things like SQL injection
Either I've just been in more intelligent communities recently or SQL injection vulnerabilities have become a big problem and then pretty much ceased to exist within my lifetime. (I'm 21.)
Same with XSS, come to think of it.
-
As long as there exist websites that uses user input directly to construct SQL query by concatenating strings, there will be SQL injection vulunerabilities.
At least in the source code handed to me last year built by someone in development center in mainland China, I've seen a few places where he directly concatenating strings to form SQL queries, while to his credit, most places others are using parameterized queries. I guess either there were more than 1 programmer coded that, or it's prove that laziness goes everywhere.
-
It usually takes a few years to advance from school mentality of solving tests and chasing grades (oops, forgot to do backend validation, I was sick when prof was talking about that) to the real world mentality of building products.
-
Maybe they don't understand the underlying data. Also, what are juniours doing the job of a lead or architect? Those endpoints should be defined by someone with experience on webservices and on the data models.
-
Same with XSS
*cough* Discourse *cough*
Speaking of vulnerabilities, I've been playing with comment sections of the bigger news portals in Poland - specifically, whether the voting mechanism is breakable. They all failed in different ways:
- one of them just didn't give a fuck. Click the upvote button 100 times, put in 100 votes.
- the other used browser fingerprinting as its sole identification mechanism. Client-side browser fingerprinting. So `for (var i = 0, i < 100; i++) $.post("...", { fingerprint: getFingerprint() + i }); defeated that one too
- another just stored the list of already voted comments in cookies, so Incognito mode took care of that
- the other was more clever, doing at least some sort of IP checking... but sending the vote via GET without checking the referer, so a forged & lt;img> tag on a high-traffic site would net you enough votes to last a lifetime
XSRF protection is hard. Let's go shopping.
-
But there's no way anyone could guess someone else's sequentially assigned order id, right?
-
-
Welcome to the forums.
-
the other was more clever, doing at least some sort of IP checking... but sending the vote via GET without checking the referer, so a forged & lt;img> tag on a high-traffic site would net you enough votes to last a lifetime
I may or may not have done that once-- on the old forum-- with a 1px x 1px image in my signature-- for a contest I didn't end up winning but anyway I was really clever... :|
-
Why? These things not taught at college?
My college taught them. In both the Diploma program, and the Applied Bachelor Degree program. There were multiple courses either on security, or that included security units.
- All data is untrusted
- Validate your data
- Check it's type
- Authenticate your users
- Check Authorization
- Never assume the layer before you did it right, or that the layer after will do it right
The last place I worked at learned the hard way about two very important things:
- Client-side validation isn't enough. Someone used dev tools to re-enabled a disabled button and submitted a form past it's due date
- Paramaterize everything. Yes, even the int fields. Idiots. Now I have to clean up a hacked database. At least I learned a lot about the anatomy of an SQL injection / reflected XSS attack
-
Why? These things not taught at college?
I majored in Biology. Didn't learn these things.
-
-
Which college, if I may ask?
-
@Lorne_Kates said:
- Check it's type
Check it is type?Yes. Check it is type correctly.
-
-
-
@Lorne_Kates said:
Check it's type
Well, it is (a) type. But which one?
-
-
numberOfPonies=1'; DROP TABLE Students; --
-
Indeed it's is.
-
numberOfPonies=1'; DROP TABLE Students; --
Exactly. I had arguments that went like this:
We need to paramaterize everything, event the int fields
(boss) But SQL injection only matters on string fields
No, it can happen on any field.
But they need to pass a quote to close the string, and numbers don't have quotes
Unless they omit the quote and just pass ; DROP TABLE Students; ---
They can't do that. It's a number field. We check it with Javascript!FUN FACT SIDENOTE: This is the same company that got hit with an SQL Injection attack. In 2014. Through an non-paramaterized querystring variable. That was an int. I never got any arguments about anything security related again after that.
-
Why? These things not taught at college?
Security? Taught in college? :snerk:
Excuse me for a moment while I die laughingNo, seriously, they spend most of their time in college on very important things for computer science (and programming, of course) like: operating systems, compiler design, assembly language, language grammar, LISP, Scheme, and formal logic. They also pile on Calculus, Physics, additional high level math classes, etc. Their basic curriculum walks students through: basic programming (hope you like link-lists!), and a little more basic programming. Then they dump the students into C programming (because why not?!), Assembly, Logic, and Unix Systems.
Then the upper level classes focus mostly on the aforementioned theory, with a sprinkling of programming for graphical reasons, and other minor programming related things, most of them theory related -- NONE of them having anything to do with what a programmer would be expected to do in a real job. I never once did a single project in college that was business related, until our capstone project which we had to do to graduate. Everything else was academic-based, or theory based.
Do they have security classes? Web classes? Database classes? Yup. And almost all of them are electives. Which means the vast majority of the students won't choose them, when there are easier ones they can choose to satisfy their elective requirements. I took all of them I could, because frankly those were some of the most useful classes I ever took in College, especially the advanced database class, and the security classes.
So, yeah, no, straight out of college kids with a CS degree that haven't worked in the industry ... no, they won't be able to handle security. You're gonna have to mentor them. They got through the program though, so it shouldn't be too hard to train them. Just give them a book or website on the subject, and assign them some tasks to learn the concepts, and they will be fine ;)
-
My "security" class was actually an Active Directory class. I was sorely disappointed.
-
The security class I had at Uni wasn't bad. In the first lecture, the lecturer told us if we could give him the contents of a txt file on the root of his web server used to host the course materials we would pass without having to take the exam. Nobody managed it, but we did all learn a fair bit...
-
The security class I had at Uni wasn't bad. In the first lecture, the lecturer told us if we could give him the contents of a txt file on the root of his web server used to host the course materials we would pass without having to take the exam. Nobody managed it, but we did all learn a fair bit...
"Dear Professor. Here is $100 and a USB drive. Please copy the file. Thx"
-
@Lorne_Kates said:
Client-side validation isn't enough. Someone used dev tools to re-enabled a disabled button and submitted a form past it's due date
Sounds like the [URL=http://thedailywtf.com/articles/pizza-hacker]pizza hacker[/URL] strikes again.