[Owasp-codereview] No input paths still not 100% secure?

Mark Roxberry, OWASP.ORG mark.roxberry at owasp.org
Mon Jun 23 07:19:32 EDT 2008


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello world is probably not my target.

For a better example of an apparently input less application, say you have a
win32 service for file I/O.  We may need this to give that service higher
privileged authority than direct user access to a file repository as part of
a web application.  In this case, I can deny the service access by changing
access control to a directory, also by changing the service account to run
as another account.  In day to day security configuration settings are
usually not considered as input (at least in my experience).  So if you have
a configuration setting for a file location in my previous example, and you
can change that, there's a vector that is not technically input.


- -----Original Message-----
From: owasp-codereview-bounces at lists.owasp.org
[mailto:owasp-codereview-bounces at lists.owasp.org] On Behalf Of Nam Nguyen
Sent: Monday, June 23, 2008 6:45 AM
To: Eoin
Cc: Owasp-codereview at lists.owasp.org
Subject: Re: [Owasp-codereview] No input paths still not 100% secure?

Eoin wrote:
> I suppose all systems have some sort of data?
> be it from a user or a B2B system or from a legacy database, or a batch
file
> feed?
> 
> The data has to come from somewhere and such data must be validated and
the
> transactions relating to the input of such data must be examined.

Agreed.

However, the statement that we are discussing about assumes that such
system does not take in any data at all. In that sense, I could only
imagine "hello world". And how could "hello world" not be 100% secure?

Maybe I'm missing something here. By "input mechanism", do you only
consider inputs entered by a human, not taken from other systems?

Cheers
Nam

> 
> 
> 
> On 23/06/2008, Nam Nguyen <namn at bluemoon.com.vn> wrote:
>> Hi
>>
>> I'm reviewing the newly added chapter Transaction Analysis (or is it
>> Transactional Analysis?).
>>
>> This statement caught my eyes and I kept pondering how it could be
>> exemplified.
>>
>> "Would systems lacking an input mechanism be 100% secure? Probably not."
>>
>> I mean, "hello world" is not 100% secure?
>>
>> Could someone share with me an example of such vulnerable system please?
>>
>> Thanks
>> Nam

_______________________________________________
Owasp-codereview mailing list
Owasp-codereview at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-codereview
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)

iQEVAwUBSF+GwNxDx3w5+q9MAQI7Ggf8CWvLMyIE7gjR9MppaCyjz2f+CRpETJ/+
1iE9uJXa0DZ2kbGHN0yZ1JuR0UPyC+XlJFULe7pq4uhsOP2Eb5jW+ZsQA3b5UYAs
LEJCIIFNGNTmt32WQi9Nd/lNA21cCqTsh+oJdosIpJAZfySSEna1+oVDPWZn46Ls
lqgm/+iodIZFDy5lFnEDIEw7Zz27TlsU1389T3mpwrMAeYFRjTPwYjQFebdDPlON
bsIsBGkAo74GCnFg1rc8Bco8/cLJ7oMlUhtkR4ROFdZIHswgKI59FQfMJNMx4XZn
deIedpOblPVHurqDPTpq8+wbLhT2ilTj/h/zWHwspjkPhuQPXRSoQA==
=CrQ9
-----END PGP SIGNATURE-----



More information about the Owasp-codereview mailing list