[OWASP_PHPSEC] [Off topic] Recent loopholes discovered in facebook.

Shivam Dixit shivamd001 at gmail.com
Tue Sep 10 16:39:01 UTC 2013


Thank you all for your valuable suggestions !! Now I clearly understand
that everything must be validated at server end also! But I still wonder in
huge applications like facebook, if every request we make is validated then
how *enormous* their data centers and servers are!


On Tue, Sep 10, 2013 at 9:48 PM, rahul chaudhary <
rahul300chaudhary400 at gmail.com> wrote:

> Exactly Abbas, good and informative points. The Ajax information was new
> to me. I didnt know using Ajax techniques affects performance.
>
> As for validation, I am backing Abbas's comment that everything should be
> validated in server and I think that is a requirement as many browsers and
> add-ons automatically disable JS for all applications except a few. So,
> with JS disabled, its only the server that stands in between.
>
>
> On Tue, Sep 10, 2013 at 9:15 AM, Abbas Naderi <abiusx at owasp.org> wrote:
>
>> Hi Shivam,
>> First of all, such attacks are found regularly on facebook and all other
>> major websites. I worked in a team that reported these attacks weekly.
>>
>> Second, performance is not an issue for system with security in mind. For
>> a corp like facebook (or any other), performance is just increasing the
>> size of their cloud infra, and its easily affordable. Security is the loss
>> of all their reputation and data, it is not affordable.
>>
>> Third. as for validation, if you google it my answer is there in
>> StackOverflow, but the right approach is, javascript validation is only for
>> the sake of user ease. Anything you validate in JS, you can tell your user
>> about it without having them to wait for a request/response. Everything *should
>> be* validated at server side, and you can move those validations to
>> client-side as well.
>>
>> Now some lazy ugly frameworks (Such as .NET) merge them by ajax callbacks
>> to the server. That really hurts the performance of both the server and the
>> application. There are frameworks that automatically convert server-side
>> validations to javascript ones, but they can't do anything about logical
>> checks (e.g if a username is available or taken).
>>
>> Thanks
>> -Abbas
>>      ______________________________________________________________
>> *Notice:** *This message is *digitally signed*, its *source* and *
>> integrity* are verifiable.
>> If you mail client does not support S/MIME verification, it will display
>> a file (smime.p7s), which includes the X.509 certificate and the signature
>> body.  Read more at Certified E-Mail with Comodo and Thunderbird<http://abiusx.com/certified-e-mail-with-comodo-and-thunderbird/> in
>> AbiusX.com
>>
>> On Sep 9, 2013, at 10:58 PM, Shivam Dixit <shivamd001 at gmail.com> wrote:
>>
>> Hello folks,
>>
>> You all must be aware of the recent loopholes discovered in facebook. In
>> case you are not, there were two major issues that were put forward. First,
>> anyone can post on any other person's wall (even if you are not friend with
>> that person) and second, you can delete *any photo *(even zuckerberg's)
>> !!
>>
>> After going through the description video of both the attacks I figured
>> out that exploits were possible just because the content received at server
>> end was not validated. They were relying on "hidden" input fields and query
>> strings. Attacks were performed just by manipulating these fields.
>>
>> I read somewhere that sever load should be minimized by validating user's
>> input at *client side*. But in application like facebook, a user makes *
>> hundreds* of request to server, so is it necessary to *validate all
>> those request*? For example, I am using JS Regular expressions to check
>> if user's input is of required format or not but before inserting it in
>> database do I need to re validate it server side because attacker might
>> trick JS ? Will it not affect performance of application as both client
>> side and sever side validation will take place?
>>
>> My question is, what is the correct/standard method for validation ?
>> Client side or server side or both ?
>>
>> --
>> *Cheers,*
>> *Shivam*
>>  _______________________________________________
>> OWASP_PHP_Security_Project mailing list
>> OWASP_PHP_Security_Project at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp_php_security_project
>>
>>
>>
>> _______________________________________________
>> OWASP_PHP_Security_Project mailing list
>> OWASP_PHP_Security_Project at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp_php_security_project
>>
>>
>
>
> --
> Regards,
> Rahul Chaudhary
> Ph - 412-519-9634
>



-- 
*Cheers,*
*Shivam*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp_php_security_project/attachments/20130910/236670bd/attachment-0001.html>


More information about the OWASP_PHP_Security_Project mailing list