[Owasp-codereview] No input paths still not 100% secure?
jeff.williams at owasp.org
Mon Jun 23 11:32:35 EDT 2008
I really think this is a ridiculous hypothetical. Nobody cares about hello
world. And it's such a trivial program that it's unlikely (certainly not
impossible) that there are exploitable vulnerabilities.
In the first place, human generated input is not the only source of attacks.
It's very easy these days to tunnel attacks through other "trusted" systems.
You need to validate anything that isn't guaranteed to be safe. By
"guaranteed" I mean that someone else will compensate you for any loss
related to an attack in the data.
But more importantly, malicious input is not even close to the only way that
an application can be attacked. An attacker could monitor the running
application (in memory or swap) and breach confidentiality. They could
change the underlying platform (keylogging, dll injection, virtualization).
The attacker might bypass authentication or access controls. They might
replay They can deny service by exhausting resources or locking. The
application might not properly handle errors (not input related like out of
memory, file not found, etc..) and it might disclose implementation details
or crash. The application might not log properly. It might have concurrency
problems that intermittently disclose sensitive information. And a million
The idea that input validation is the only security mechanism is absurd.
From: owasp-codereview-bounces at lists.owasp.org
[mailto:owasp-codereview-bounces at lists.owasp.org] On Behalf Of Mario de Boer
Sent: Monday, June 23, 2008 9:32 AM
To: Nam Nguyen
Cc: Owasp-codereview at lists.owasp.org
Subject: Re: [Owasp-codereview] No input paths still not 100% secure?
At least, "heIIo world" outputs something. This is interpreted by
something, in this case a human. The fact that I wrote two capital "i"
instead of a lowercase "l" indicates that there might be a security
problem with this program in some applications. You can probably
conjure up more of these.
Moreover, the program uses library calls (or an interpreter), for
example printf. In some hostile environments this may not be secure.
The only secure program is NOP (though this may be disputed by some).
On 6/23/08, Nam Nguyen <namn at bluemoon.com.vn> wrote:
> Mark Roxberry, OWASP.ORG wrote:
> > Hello world is probably not my target.
> > For a better example of an apparently input less application, say you
> > win32 service for file I/O.
> Doesn't "file I/O" spell out in full as "file *Input*/Output"?
> I know, I know. I'm being annoying here...
> We may need this to give that service higher
> > privileged authority than direct user access to a file repository as
> > a web application. In this case, I can deny the service access by
> > access control to a directory, also by changing the service account to
> > as another account. In day to day security configuration settings are
> > usually not considered as input (at least in my experience). So if you
> > a configuration setting for a file location in my previous example, and
> > can change that, there's a vector that is not technically input.
> > -----Original Message-----
> > From: owasp-codereview-bounces at lists.owasp.org
> > [mailto:owasp-codereview-bounces at lists.owasp.org] On Behalf Of Nam
> > Sent: Monday, June 23, 2008 6:45 AM
> > To: Eoin
> > Cc: Owasp-codereview at lists.owasp.org
> > Subject: Re: [Owasp-codereview] No input paths still not 100% secure?
> > Eoin wrote:
> >> I suppose all systems have some sort of data?
> >> be it from a user or a B2B system or from a legacy database, or a batch
> > file
> >> feed?
> >> The data has to come from somewhere and such data must be validated and
> > the
> >> transactions relating to the input of such data must be examined.
> > Agreed.
> > However, the statement that we are discussing about assumes that such
> > system does not take in any data at all. In that sense, I could only
> > imagine "hello world". And how could "hello world" not be 100% secure?
> > Maybe I'm missing something here. By "input mechanism", do you only
> > consider inputs entered by a human, not taken from other systems?
> > Cheers
> > Nam
> >> On 23/06/2008, Nam Nguyen <namn at bluemoon.com.vn> wrote:
> >>> Hi
> >>> I'm reviewing the newly added chapter Transaction Analysis (or is it
> >>> Transactional Analysis?).
> >>> This statement caught my eyes and I kept pondering how it could be
> >>> exemplified.
> >>> "Would systems lacking an input mechanism be 100% secure? Probably
> >>> I mean, "hello world" is not 100% secure?
> >>> Could someone share with me an example of such vulnerable system
> >>> Thanks
> >>> Nam
> > _______________________________________________
> > Owasp-codereview mailing list
> > Owasp-codereview at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-codereview
> Owasp-codereview mailing list
> Owasp-codereview at lists.owasp.org
Owasp-codereview mailing list
Owasp-codereview at lists.owasp.org
More information about the Owasp-codereview