[Owasp-codereview] No input paths still not 100% secure?

Nam Nguyen namn at bluemoon.com.vn
Mon Jun 23 08:45:18 EDT 2008


Mark Roxberry, OWASP.ORG wrote:
> Hello world is probably not my target.
> 
> For a better example of an apparently input less application, say you have a
> win32 service for file I/O.

Doesn't "file I/O" spell out in full as "file *Input*/Output"?

I know, I know. I'm being annoying here...

Nam

We may need this to give that service higher
> privileged authority than direct user access to a file repository as part of
> a web application.  In this case, I can deny the service access by changing
> access control to a directory, also by changing the service account to run
> as another account.  In day to day security configuration settings are
> usually not considered as input (at least in my experience).  So if you have
> a configuration setting for a file location in my previous example, and you
> can change that, there's a vector that is not technically input.
> 
> 
> -----Original Message-----
> From: owasp-codereview-bounces at lists.owasp.org
> [mailto:owasp-codereview-bounces at lists.owasp.org] On Behalf Of Nam Nguyen
> Sent: Monday, June 23, 2008 6:45 AM
> To: Eoin
> Cc: Owasp-codereview at lists.owasp.org
> Subject: Re: [Owasp-codereview] No input paths still not 100% secure?
> 
> Eoin wrote:
>> I suppose all systems have some sort of data?
>> be it from a user or a B2B system or from a legacy database, or a batch
> file
>> feed?
> 
>> The data has to come from somewhere and such data must be validated and
> the
>> transactions relating to the input of such data must be examined.
> 
> Agreed.
> 
> However, the statement that we are discussing about assumes that such
> system does not take in any data at all. In that sense, I could only
> imagine "hello world". And how could "hello world" not be 100% secure?
> 
> Maybe I'm missing something here. By "input mechanism", do you only
> consider inputs entered by a human, not taken from other systems?
> 
> Cheers
> Nam
> 
> 
> 
>> On 23/06/2008, Nam Nguyen <namn at bluemoon.com.vn> wrote:
>>> Hi
>>>
>>> I'm reviewing the newly added chapter Transaction Analysis (or is it
>>> Transactional Analysis?).
>>>
>>> This statement caught my eyes and I kept pondering how it could be
>>> exemplified.
>>>
>>> "Would systems lacking an input mechanism be 100% secure? Probably not."
>>>
>>> I mean, "hello world" is not 100% secure?
>>>
>>> Could someone share with me an example of such vulnerable system please?
>>>
>>> Thanks
>>> Nam
> 
> _______________________________________________
> Owasp-codereview mailing list
> Owasp-codereview at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-codereview


More information about the Owasp-codereview mailing list