[Owasp-codereview] No input paths still not 100% secure?

Mario de Boer njama at owasp.org
Mon Jun 23 09:31:30 EDT 2008


At least, "heIIo world" outputs something. This is interpreted by
something, in this case a human. The fact that I wrote two capital "i"
instead of a lowercase "l" indicates that there might be a security
problem with this program in some applications. You can probably
conjure up more of these.
Moreover, the program uses library calls (or an interpreter), for
example printf. In some hostile environments this may not be secure.
The only secure program is NOP (though this may be disputed by some).
Regards, Mario

On 6/23/08, Nam Nguyen <namn at bluemoon.com.vn> wrote:
> Mark Roxberry, OWASP.ORG wrote:
> > Hello world is probably not my target.
> >
> > For a better example of an apparently input less application, say you have a
> > win32 service for file I/O.
>
> Doesn't "file I/O" spell out in full as "file *Input*/Output"?
>
> I know, I know. I'm being annoying here...
>
> Nam
>
> We may need this to give that service higher
> > privileged authority than direct user access to a file repository as part of
> > a web application.  In this case, I can deny the service access by changing
> > access control to a directory, also by changing the service account to run
> > as another account.  In day to day security configuration settings are
> > usually not considered as input (at least in my experience).  So if you have
> > a configuration setting for a file location in my previous example, and you
> > can change that, there's a vector that is not technically input.
> >
> >
> > -----Original Message-----
> > From: owasp-codereview-bounces at lists.owasp.org
> > [mailto:owasp-codereview-bounces at lists.owasp.org] On Behalf Of Nam Nguyen
> > Sent: Monday, June 23, 2008 6:45 AM
> > To: Eoin
> > Cc: Owasp-codereview at lists.owasp.org
> > Subject: Re: [Owasp-codereview] No input paths still not 100% secure?
> >
> > Eoin wrote:
> >> I suppose all systems have some sort of data?
> >> be it from a user or a B2B system or from a legacy database, or a batch
> > file
> >> feed?
> >
> >> The data has to come from somewhere and such data must be validated and
> > the
> >> transactions relating to the input of such data must be examined.
> >
> > Agreed.
> >
> > However, the statement that we are discussing about assumes that such
> > system does not take in any data at all. In that sense, I could only
> > imagine "hello world". And how could "hello world" not be 100% secure?
> >
> > Maybe I'm missing something here. By "input mechanism", do you only
> > consider inputs entered by a human, not taken from other systems?
> >
> > Cheers
> > Nam
> >
> >
> >
> >> On 23/06/2008, Nam Nguyen <namn at bluemoon.com.vn> wrote:
> >>> Hi
> >>>
> >>> I'm reviewing the newly added chapter Transaction Analysis (or is it
> >>> Transactional Analysis?).
> >>>
> >>> This statement caught my eyes and I kept pondering how it could be
> >>> exemplified.
> >>>
> >>> "Would systems lacking an input mechanism be 100% secure? Probably not."
> >>>
> >>> I mean, "hello world" is not 100% secure?
> >>>
> >>> Could someone share with me an example of such vulnerable system please?
> >>>
> >>> Thanks
> >>> Nam
> >
> > _______________________________________________
> > Owasp-codereview mailing list
> > Owasp-codereview at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-codereview
> _______________________________________________
> Owasp-codereview mailing list
> Owasp-codereview at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-codereview
>


More information about the Owasp-codereview mailing list