Page 2 of 2

Re: How Secure is this?

Posted: Wed Feb 15, 2006 1:56 pm
by Roja
blacksnday wrote:Considering I let it known right away that Form Input should be protected
I have no clue why that would cause an exclusion to a proper answer
about the other aspects of coding.
Fair question, so I'll answer.

Lets say you filter input *so* good, its only an integer.

If so, we don't need to worry about sql injection, quoting, db storage type, host OS, anything really.

Saying "I've covered input filtering" doesn't answer the question sufficiently, and entirely influences the rest of the questions. If you've filtered it down to just an int, there is extremely little that needs to be done beyond that.

But lets get realistic and say that the input filtering allows a-z, dashes, spaces, and underscores. Now we need to worry about which db engine - mssql considers a doubledash as a comment. Now we need to worry about sql escaping. Now we need to worry about db storage type - is the input potentially longer than the field? If its a char (5), and the username is longer....

See all the things that are affected? We aren't being nitpicky or anal. We are being thorough, to give you a fair and considered answer to the question of is this secure. Is this nice, well-designed, cute, web-2.0'ish, etc are all very subjective questions that don't require substantial detail. Whether something is secure requires tremendous attention to detail.

Remember, to be secure, you have to be correct, safe, and well-designed at every point, every day. To be insecure, you only have to make one mistake, ever.

Do you really think its reasonable to ask for that level of certainty while leaving out half of the equation?

Posted: Wed Feb 15, 2006 2:22 pm
by blacksnday
shiflett wrote: I know what you're saying in theory, but I want to stress that such assumptions can easily be problematic. How certain are you that there's no way to avoid having these session variables initialized? I'm not suggesting that there's a way, but it's worth at least trying the attack I suggested (sending a GET request to the URL identified as the action of the form).
The full system I built is a tad complex,
however I do believe there is no way to initialize the
Proper Session Variables without correctly logging in to begin with because
the only area where the User Login Sessions are created,
be it either the Default Values or the Proper Logged in Values
are on the login page itself.

Any other page that is for Members/Logged Users will not
create or edit any Session Value. They will always take the user
to the Login Page to log in and have User Login Sessions created.


Without me disclosing full system code I cant really gain a complete
census about the full security of the system I am working on.

I would however, be more then happy to extend invitations for
people to help me test it on my Local Host install that is
residing on my HOME COMPUTER, however I had asked
something similar in the past on these forums and was
blasted big time for it.......
Hell... I even have a VPS I could offer testing on.....

Therefore, I can only ask about snippets of info from
snippets of code which then result in confusion for people trying to answer.
It would probably be best not to ask this type of question later on :)

Roja wrote:See all the things that are affected? We aren't being nitpicky or anal. We are being thorough, to give you a fair and considered answer to the question of is this secure. Is this nice, well-designed, cute, web-2.0'ish, etc are all very subjective questions that don't require substantial detail. Whether something is secure requires tremendous attention to detail.
That response was more effective then your previous.
Thanks....

Posted: Wed Feb 15, 2006 2:51 pm
by Roja
blacksnday wrote:Without me disclosing full system code I cant really gain a complete
census about the full security of the system I am working on.
Agreed. I think thats the summary. I will agree that you didn't get the most helpful responses to whether your code was secure, but its very hard to answer small portions of a big picture.

Sorry it wasn't better, but I agree - without the full picture, its hard for us to help give you a full answer. That does somewhat stink. If you have a suggestion on how to improve that, I'm all ears.