[Owasp-codereview] No input paths still not 100% secure?
Mark Roxberry, OWASP.ORG
mark.roxberry at owasp.org
Mon Jun 23 07:19:32 EDT 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hello world is probably not my target.
For a better example of an apparently input less application, say you have a
win32 service for file I/O. We may need this to give that service higher
privileged authority than direct user access to a file repository as part of
a web application. In this case, I can deny the service access by changing
access control to a directory, also by changing the service account to run
as another account. In day to day security configuration settings are
usually not considered as input (at least in my experience). So if you have
a configuration setting for a file location in my previous example, and you
can change that, there's a vector that is not technically input.
- -----Original Message-----
From: owasp-codereview-bounces at lists.owasp.org
[mailto:owasp-codereview-bounces at lists.owasp.org] On Behalf Of Nam Nguyen
Sent: Monday, June 23, 2008 6:45 AM
Cc: Owasp-codereview at lists.owasp.org
Subject: Re: [Owasp-codereview] No input paths still not 100% secure?
> I suppose all systems have some sort of data?
> be it from a user or a B2B system or from a legacy database, or a batch
> The data has to come from somewhere and such data must be validated and
> transactions relating to the input of such data must be examined.
However, the statement that we are discussing about assumes that such
system does not take in any data at all. In that sense, I could only
imagine "hello world". And how could "hello world" not be 100% secure?
Maybe I'm missing something here. By "input mechanism", do you only
consider inputs entered by a human, not taken from other systems?
> On 23/06/2008, Nam Nguyen <namn at bluemoon.com.vn> wrote:
>> I'm reviewing the newly added chapter Transaction Analysis (or is it
>> Transactional Analysis?).
>> This statement caught my eyes and I kept pondering how it could be
>> "Would systems lacking an input mechanism be 100% secure? Probably not."
>> I mean, "hello world" is not 100% secure?
>> Could someone share with me an example of such vulnerable system please?
Owasp-codereview mailing list
Owasp-codereview at lists.owasp.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
-----END PGP SIGNATURE-----
More information about the Owasp-codereview