Part four of the series detailing the OWASP top 10 web application vulnerabilities. (See intro)
On the surface of it, this might seem to have something to do with class type objects, but actually, it doesn't... So what are we talking about?
Well, the sort of objects we're talking about here are files, directories, database records or primary keys.
I find that using a specific example is the easiest way to explain these concepts, so consider the following URL:
http://myserver/index.jsp?getfile=myreport.doc
or
http://myserver/index.aspx?getfile=myreport.doc
The idea here, is that the parameter is used to specify the file to download. This could quite easily be exploited to return a unintended file by a hacker modifying the parameter.
What would happen if a hacker modified the URL to:
http://myserver/index.aspx?getfile=/../web.configor
http://myserver/index.jsp?getfile=../../../tomcat/conf/tomcat-users.xml
In the second JSP/Java/Tomcat example, they could get hold of the config file used to store user names and passwords - instant admin access!
This isn't limited to files - records identified by their primary keys are also vulnerable.
Once again, a hacker could easily modify the unique key in the following URL to return data that they might not be suppose to access:
http://myserver/viewAccountBalance.jsp?accountNr=1234
So what do we do to avoid this situation?
Firstly, validate all input. If you're returning files, ensure that a hacker can't escape the input. This isn't always as easy as it sounds though - I recall some time ago in 2001 that IIS had a bug in it allowing directory traversals by using the overlong Unicode representations for / and . - %c0%af and %c1%9c. Using a combination of these basically bypassed all security checks and allowed executing commands on the server by inputting commands to the command shell. Basically, a hacker had complete access to the server. So be careful!
Probably most importantly, use a reference map to refer indirectly to objects, so that they're never shown publicly. If a hashtable of valid key/file names are stored server side and are referenced through the use of their keys from the browser, a hacker can't enter a file name/ record key that they're not supposed to have access to.
eg. instead of the first example above, a better approach would be:
http://myserver/index.jsp?getfileByID=2
Obviously, you only store those files in the hashtable that they're supposed to have access to, otherwise they would simply change the file id and once again access secure data.
So... Beware of your parameters and what they could be exposing.
Microsoft has just announced that it will purchase Skype for $8.5bn.
On the surface of it it seems as though it's a great purchase with possible integration with Xbox, Windows Phone 7, Live.com etc. But has it come at too high a cost?
In 2009, 70% of Skype was sold for $2bn. 2 years later, it's bought for $8.5bn? I doubt that Skype's value has increased to the degree which justifies the price and the stock market seems to agree - Microsoft's share price is down slightly for the day by 0.62%, in spite of the NASDAQ gaining 1.01%.
If Microsoft can integrate it successfully with the rest of it's products, it may be able to create an even stronger suite which might also strengthen it's case against iOS from Mac and Linux. There may not be any direct profits, but may be worth it when considering total sales and products.
It's yet too be seen whether this will be the right decision...
"South African software industry players are pushing for changes in legislation to help reduce piracy"
http://mybroadband.co.za/news/software/19277-Fighting-Piracy-with-the-law.html
Is there much of a point? The industry moves faster than law can keep up. Back in 2002 the Electronic Communications and Transactions Act came into being. Prior to the ECT act, there were virtually no laws governing many areas of the industry. But even by the time it came into being, there were already shortcomings/ loops.
So, are we ever going to beat the piracy... not easily.
One of the less vaunted characteristics of open source software, is that it can't be pirated, as nobody really "owns" it. Ok, it is kinda possible to include open source with proprietary software and possibly violating the licence, but it's not really the same as pirating a game. Businesses built around services as opposed to products do not suffer the losses due to pirated software.
Another emerging technology/ approach/ philosophy is cloud computing, or maybe just web based apps in general that make it impossible to pirate without infiltration the physical infrastructure.
An approach that seems to work for certain software is the augmented services offered by online subscription/ registration. For example, in certain console games, you can play online - without this feature, the game is severely limited. This acts as a some deterrent to using pirated software.
I seriously doubt that it'll ever be possible to get rid of pirated software without a combination of these factors. I'm certain that it's not going to disappear by just modifying the law.
I faced an interesting question recently in building SharePoint based InfoPath forms. The problem was that a drop down field was being populated from a SharePoint list which could potentially have 50+ values, making the control cumbersome to use. The aim was to filter the values in the drop down based on another drop down field where there was a relationship between the two.
So how do you build these cascading dropdowns?
As an example, we'll use a city/state relationship, both stored in lists, and use these fields on a new record.
Firstly, we'll create a custom List to store the State List items with only one field - State Name.
Next we'll create a list of cities with a lookup field referencing the state field.
Now that we've got the two lists representing the data sorted, create a third list, on which we will add these two fields as lookups.
Now, as can be seen the data that's been entered isn't valid in terms of state/city combinations. So, in order to build a form which filters the cities based on the selected state, click on the "Customise Form" button:
This will then open the form in InfoPath. Arrange the form elements appropriately and delete any controls not needed. Now, we want to filter the City control based on the selected State ID. The problem is that the State ID doesn't exist in the generated City data connection, so we have to add a new one. Click on Data-->From SharePoint List, fill in your SharePoint site URL and click "Next". Select the City list you created from the collection of lists. On the next screen you'll notice that "ID" is selected by default, select both the "Name" field and the state field.
Now comes the magic... Right click on the City drop down list control and click on "Drop-down List Box Properties". Ensure that the new City data source is selected and click on the button next to "Entities". The d:SharePointListItem_RW item node should already be selected, now click on the "Filter Data" button. Click on "Add" to add a new filter. The condition that must be "true" is that the "State" field in the "City" data source must equal the selected "State" in the "main data source". Have a look at the attached image for a better idea...
Finally ensure that the "Value" field that the drop down is bound to is the "ID" and not the "d:Title" which it probably selected as the default.
Now test your form using the preview function and publish back to SharePoint.
Below is a screen shot of the final SharePoint InfoPath form.
This concept can be extended further using text boxes instead of drop downs for a basic "word filter" functionality by using the "contains" match instead of "equals" and can be combined with multiple filters. From a usability perspective, you'll probably have to disable the city text box until a user selects a state.
I've also used a similar "Filtered Data" approach to select single values from a list once a user selects an element from a drop down list. Extending the above example, we could lookup related data from the City SharePoint list and display it in a read-only text box once the user has selected a City.
Gnome 3 has finally been launched after what seems like years! So long in fact that Canonical/Ubuntu has decided to drop it from their upcoming version. But even if you don't want to wait for the major editions to release it in their next versions, you can install it right now.
This is probably one of the biggest changes to the Gnome interface for the past few years, so it's a big change.
Have a look at the following to see how to install it:
http://digitizor.com/2011/04/07/install-gnome3-desktop-ubuntu/
