Just a rant



  • currently working with younger programmers. they are very technically skilled and hardworking.

    but, I notice the same problem with all companies I have been working in - almost non-existent data validation !

    For example WebAPI : GetOrder(int id) , any tom dick and harry can basically view orders from any other users.

    Why? These things not taught at college?



  • @zzzxtreme said:

    int id

    But there's no way anyone could guess someone else's sequentially assigned order id, right?



  • it's not impossible. UpdateOrder, DeleteOrder. And let's say, only certain fields can be updated, it's only checked in client-side Javascript. at the backend, there's NO checking !



  • @zzzxtreme said:

    almost non-existent data validation !

    Where is the fun in all this If you don't do shit like this from time to time ? Why is everyone so serious these days ?



  • That's credential validation.

    In one of my previous job, when designing webservice for external website to call, I told them they should create a LoginUser method that returns a ticket (GUID), and any subsequent calls to other service must attach the ticket to validate the identity, and they also questioned "why?".

    Data validation (like how to validate the range or foreign key etc. are taught in school, credential validation... I think not. At least not when I was studying there.

    Then again things like SQL injection which was uncommon at that time were not taught too.



  • @cheong said:

    things like SQL injection

    Either I've just been in more intelligent communities recently or SQL injection vulnerabilities have become a big problem and then pretty much ceased to exist within my lifetime. (I'm 21.)

    Same with XSS, come to think of it.



  • As long as there exist websites that uses user input directly to construct SQL query by concatenating strings, there will be SQL injection vulunerabilities.

    At least in the source code handed to me last year built by someone in development center in mainland China, I've seen a few places where he directly concatenating strings to form SQL queries, while to his credit, most places others are using parameterized queries. I guess either there were more than 1 programmer coded that, or it's prove that laziness goes everywhere.



  • It usually takes a few years to advance from school mentality of solving tests and chasing grades (oops, forgot to do backend validation, I was sick when prof was talking about that) to the real world mentality of building products.



  • Maybe they don't understand the underlying data. Also, what are juniours doing the job of a lead or architect? Those endpoints should be defined by someone with experience on webservices and on the data models.



  • @ben_lubar said:

    Same with XSS

    *cough* Discourse *cough*

    Speaking of vulnerabilities, I've been playing with comment sections of the bigger news portals in Poland - specifically, whether the voting mechanism is breakable. They all failed in different ways:

    • one of them just didn't give a fuck. Click the upvote button 100 times, put in 100 votes.
    • the other used browser fingerprinting as its sole identification mechanism. Client-side browser fingerprinting. So `for (var i = 0, i < 100; i++) $.post("...", { fingerprint: getFingerprint() + i }); defeated that one too
    • another just stored the list of already voted comments in cookies, so Incognito mode took care of that
    • the other was more clever, doing at least some sort of IP checking... but sending the vote via GET without checking the referer, so a forged & lt;img> tag on a high-traffic site would net you enough votes to last a lifetime

    XSRF protection is hard. Let's go shopping.


  • Discourse touched me in a no-no place

    @ben_lubar said:

    But there's no way anyone could guess someone else's sequentially assigned order id, right?

    Of course not.


  • I survived the hour long Uno hand

    @ben_lubar said:

    Same with XSS



  • :whoosh:

    Welcome to the forums.


  • Trolleybus Mechanic

    @Maciejasjmj said:

    the other was more clever, doing at least some sort of IP checking... but sending the vote via GET without checking the referer, so a forged & lt;img> tag on a high-traffic site would net you enough votes to last a lifetime

    I may or may not have done that once-- on the old forum-- with a 1px x 1px image in my signature-- for a contest I didn't end up winning but anyway I was really clever... :|


  • Trolleybus Mechanic

    @zzzxtreme said:

    Why? These things not taught at college?

    My college taught them. In both the Diploma program, and the Applied Bachelor Degree program. There were multiple courses either on security, or that included security units.

    • All data is untrusted
    • Validate your data
    • Check it's type
    • Authenticate your users
    • Check Authorization
    • Never assume the layer before you did it right, or that the layer after will do it right

    The last place I worked at learned the hard way about two very important things:

    1. Client-side validation isn't enough. Someone used dev tools to re-enabled a disabled button and submitted a form past it's due date
    2. Paramaterize everything. Yes, even the int fields. Idiots. Now I have to clean up a hacked database. At least I learned a lot about the anatomy of an SQL injection / reflected XSS attack


  • @zzzxtreme said:

    Why? These things not taught at college?

    I majored in Biology. Didn't learn these things.


  • FoxDev

    @Lorne_Kates said:

    - Check it's type

    Check it is type?


  • area_can

    Which college, if I may ask?


  • Trolleybus Mechanic

    @RaceProUK said:

    @Lorne_Kates said:
    - Check it's type

    Check it is type?

    Yes. Check it is type correctly.


  • Trolleybus Mechanic

    @bb36e said:

    Which college, if I may ask?

    Seneca College (Ontario).



  • @Lorne_Kates said:

    Check it's type

    Well, it is (a) type. But which one?


  • Trolleybus Mechanic

    @rc4 said:

    @Lorne_Kates said:
    Check it's type

    Well, it is (a) type. But which one?

    #THAT IS A HILARIOUS JOKE!


  • BINNED

    @Lorne_Kates said:

    Paramaterize everything. Yes, even the int fields.

    ?



  • numberOfPonies=1'; DROP TABLE Students; --



  • Indeed it's is.


  • Trolleybus Mechanic

    @ben_lubar said:

    numberOfPonies=1'; DROP TABLE Students; --

    Exactly. I had arguments that went like this:

    👦 We need to paramaterize everything, event the int fields
    😦 (boss) But SQL injection only matters on string fields
    👦 No, it can happen on any field.
    😦 But they need to pass a quote to close the string, and numbers don't have quotes
    👦 Unless they omit the quote and just pass ; DROP TABLE Students; ---
    😦 They can't do that. It's a number field. We check it with Javascript!

    FUN FACT SIDENOTE: This is the same company that got hit with an SQL Injection attack. In 2014. Through an non-paramaterized querystring variable. That was an int. I never got any arguments about anything security related again after that.



  • @zzzxtreme said:

    Why? These things not taught at college?

    Security? Taught in college? :snerk:
    Excuse me for a moment while I die laughing 😆

    No, seriously, they spend most of their time in college on very important things for computer science (and programming, of course) like: operating systems, compiler design, assembly language, language grammar, LISP, Scheme, and formal logic. They also pile on Calculus, Physics, additional high level math classes, etc. Their basic curriculum walks students through: basic programming (hope you like link-lists!), and a little more basic programming. Then they dump the students into C programming (because why not?!), Assembly, Logic, and Unix Systems.

    Then the upper level classes focus mostly on the aforementioned theory, with a sprinkling of programming for graphical reasons, and other minor programming related things, most of them theory related -- NONE of them having anything to do with what a programmer would be expected to do in a real job. I never once did a single project in college that was business related, until our capstone project which we had to do to graduate. Everything else was academic-based, or theory based.

    Do they have security classes? Web classes? Database classes? Yup. And almost all of them are electives. Which means the vast majority of the students won't choose them, when there are easier ones they can choose to satisfy their elective requirements. I took all of them I could, because frankly those were some of the most useful classes I ever took in College, especially the advanced database class, and the security classes.

    So, yeah, no, straight out of college kids with a CS degree that haven't worked in the industry ... no, they won't be able to handle security. You're gonna have to mentor them. They got through the program though, so it shouldn't be too hard to train them. Just give them a book or website on the subject, and assign them some tasks to learn the concepts, and they will be fine ;)



  • My "security" class was actually an Active Directory class. I was sorely disappointed.



  • The security class I had at Uni wasn't bad. In the first lecture, the lecturer told us if we could give him the contents of a txt file on the root of his web server used to host the course materials we would pass without having to take the exam. Nobody managed it, but we did all learn a fair bit...


  • Trolleybus Mechanic

    @Nocha said:

    The security class I had at Uni wasn't bad. In the first lecture, the lecturer told us if we could give him the contents of a txt file on the root of his web server used to host the course materials we would pass without having to take the exam. Nobody managed it, but we did all learn a fair bit...

    "Dear Professor. Here is $100 and a USB drive. Please copy the file. Thx"



  • @Lorne_Kates said:

    Client-side validation isn't enough. Someone used dev tools to re-enabled a disabled button and submitted a form past it's due date

    Sounds like the [URL=http://thedailywtf.com/articles/pizza-hacker]pizza hacker[/URL] strikes again.


Log in to reply