[OWASP_PHPSEC] [Off topic] Recent loopholes discovered in facebook.

rahul chaudhary rahul300chaudhary400 at gmail.com
Tue Sep 10 16:18:07 UTC 2013


Exactly Abbas, good and informative points. The Ajax information was new to
me. I didnt know using Ajax techniques affects performance.

As for validation, I am backing Abbas's comment that everything should be
validated in server and I think that is a requirement as many browsers and
add-ons automatically disable JS for all applications except a few. So,
with JS disabled, its only the server that stands in between.


On Tue, Sep 10, 2013 at 9:15 AM, Abbas Naderi <abiusx at owasp.org> wrote:

> Hi Shivam,
> First of all, such attacks are found regularly on facebook and all other
> major websites. I worked in a team that reported these attacks weekly.
>
> Second, performance is not an issue for system with security in mind. For
> a corp like facebook (or any other), performance is just increasing the
> size of their cloud infra, and its easily affordable. Security is the loss
> of all their reputation and data, it is not affordable.
>
> Third. as for validation, if you google it my answer is there in
> StackOverflow, but the right approach is, javascript validation is only for
> the sake of user ease. Anything you validate in JS, you can tell your user
> about it without having them to wait for a request/response. Everything *should
> be* validated at server side, and you can move those validations to
> client-side as well.
>
> Now some lazy ugly frameworks (Such as .NET) merge them by ajax callbacks
> to the server. That really hurts the performance of both the server and the
> application. There are frameworks that automatically convert server-side
> validations to javascript ones, but they can't do anything about logical
> checks (e.g if a username is available or taken).
>
> Thanks
> -Abbas
> ______________________________________________________________
> *Notice:** *This message is *digitally signed*, its *source* and *
> integrity* are verifiable.
> If you mail client does not support S/MIME verification, it will display a
> file (smime.p7s), which includes the X.509 certificate and the signature
> body.  Read more at Certified E-Mail with Comodo and Thunderbird<http://abiusx.com/certified-e-mail-with-comodo-and-thunderbird/> in
> AbiusX.com
>
> On Sep 9, 2013, at 10:58 PM, Shivam Dixit <shivamd001 at gmail.com> wrote:
>
> Hello folks,
>
> You all must be aware of the recent loopholes discovered in facebook. In
> case you are not, there were two major issues that were put forward. First,
> anyone can post on any other person's wall (even if you are not friend with
> that person) and second, you can delete *any photo *(even zuckerberg's)
> !!
>
> After going through the description video of both the attacks I figured
> out that exploits were possible just because the content received at server
> end was not validated. They were relying on "hidden" input fields and query
> strings. Attacks were performed just by manipulating these fields.
>
> I read somewhere that sever load should be minimized by validating user's
> input at *client side*. But in application like facebook, a user makes *
> hundreds* of request to server, so is it necessary to *validate all those
> request*? For example, I am using JS Regular expressions to check if
> user's input is of required format or not but before inserting it in
> database do I need to re validate it server side because attacker might
> trick JS ? Will it not affect performance of application as both client
> side and sever side validation will take place?
>
> My question is, what is the correct/standard method for validation ?
> Client side or server side or both ?
>
> --
> *Cheers,*
> *Shivam*
>  _______________________________________________
> OWASP_PHP_Security_Project mailing list
> OWASP_PHP_Security_Project at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp_php_security_project
>
>
>
> _______________________________________________
> OWASP_PHP_Security_Project mailing list
> OWASP_PHP_Security_Project at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp_php_security_project
>
>


-- 
Regards,
Rahul Chaudhary
Ph - 412-519-9634
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp_php_security_project/attachments/20130910/488627eb/attachment.html>


More information about the OWASP_PHP_Security_Project mailing list