[Owasp-codereview] No input paths still not 100% secure?

Eoin eoin.keary at owasp.org
Mon Jun 23 09:12:53 EDT 2008


hi,
When talking input its not necessarily from humans as mentioned before it
could be "......be it from a user or a B2B system or from a legacy database,
or a batch file feed?"
Attack vector may not affect the producer of the data but when loaded into
the consumer it may have an adverse effect.


On 23/06/2008, Mark Roxberry, OWASP.ORG <mark.roxberry at owasp.org> wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hello world is probably not my target.
>
> For a better example of an apparently input less application, say you have
> a
> win32 service for file I/O.  We may need this to give that service higher
> privileged authority than direct user access to a file repository as part
> of
> a web application.  In this case, I can deny the service access by changing
> access control to a directory, also by changing the service account to run
> as another account.  In day to day security configuration settings are
> usually not considered as input (at least in my experience).  So if you
> have
> a configuration setting for a file location in my previous example, and you
> can change that, there's a vector that is not technically input.
>
>
> - -----Original Message-----
> From: owasp-codereview-bounces at lists.owasp.org
> [mailto:owasp-codereview-bounces at lists.owasp.org] On Behalf Of Nam Nguyen
> Sent: Monday, June 23, 2008 6:45 AM
> To: Eoin
> Cc: Owasp-codereview at lists.owasp.org
> Subject: Re: [Owasp-codereview] No input paths still not 100% secure?
>
> Eoin wrote:
> > I suppose all systems have some sort of data?
> > be it from a user or a B2B system or from a legacy database, or a batch
> file
> > feed?
> >
> > The data has to come from somewhere and such data must be validated and
> the
> > transactions relating to the input of such data must be examined.
>
> Agreed.
>
> However, the statement that we are discussing about assumes that such
> system does not take in any data at all. In that sense, I could only
> imagine "hello world". And how could "hello world" not be 100% secure?
>
> Maybe I'm missing something here. By "input mechanism", do you only
> consider inputs entered by a human, not taken from other systems?
>
> Cheers
> Nam
>
> >
> >
> >
> > On 23/06/2008, Nam Nguyen <namn at bluemoon.com.vn> wrote:
> >> Hi
> >>
> >> I'm reviewing the newly added chapter Transaction Analysis (or is it
> >> Transactional Analysis?).
> >>
> >> This statement caught my eyes and I kept pondering how it could be
> >> exemplified.
> >>
> >> "Would systems lacking an input mechanism be 100% secure? Probably not."
> >>
> >> I mean, "hello world" is not 100% secure?
> >>
> >> Could someone share with me an example of such vulnerable system please?
> >>
> >> Thanks
> >> Nam
>
> _______________________________________________
> Owasp-codereview mailing list
> Owasp-codereview at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-codereview
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.7 (MingW32)
>
> iQEVAwUBSF+GwNxDx3w5+q9MAQI7Ggf8CWvLMyIE7gjR9MppaCyjz2f+CRpETJ/+
> 1iE9uJXa0DZ2kbGHN0yZ1JuR0UPyC+XlJFULe7pq4uhsOP2Eb5jW+ZsQA3b5UYAs
> LEJCIIFNGNTmt32WQi9Nd/lNA21cCqTsh+oJdosIpJAZfySSEna1+oVDPWZn46Ls
> lqgm/+iodIZFDy5lFnEDIEw7Zz27TlsU1389T3mpwrMAeYFRjTPwYjQFebdDPlON
> bsIsBGkAo74GCnFg1rc8Bco8/cLJ7oMlUhtkR4ROFdZIHswgKI59FQfMJNMx4XZn
> deIedpOblPVHurqDPTpq8+wbLhT2ilTj/h/zWHwspjkPhuQPXRSoQA==
> =CrQ9
> -----END PGP SIGNATURE-----
>
>


-- 
Eoin Keary OWASP - Ireland
http://www.owasp.org/local/ireland.html
http://www.owasp.org/index.php/OWASP_Code_Review_Project
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-codereview/attachments/20080623/b58198c3/attachment-0001.html 


More information about the Owasp-codereview mailing list