[OWASP_PHPSEC] [Off topic] Recent loopholes discovered in facebook.

Abbas Naderi abiusx at owasp.org
Tue Sep 10 18:06:41 UTC 2013


Not that enormous. They are distributed.
-A
______________________________________________________________
Notice: This message is digitally signed, its source and integrity are verifiable.
If you mail client does not support S/MIME verification, it will display a file (smime.p7s), which includes the X.509 certificate and the signature body.  Read more at Certified E-Mail with Comodo and Thunderbird in AbiusX.com

On Sep 10, 2013, at 12:39 PM, Shivam Dixit <shivamd001 at gmail.com> wrote:

> Thank you all for your valuable suggestions !! Now I clearly understand that everything must be validated at server end also! But I still wonder in huge applications like facebook, if every request we make is validated then how enormous their data centers and servers are! 
> 
> 
> On Tue, Sep 10, 2013 at 9:48 PM, rahul chaudhary <rahul300chaudhary400 at gmail.com> wrote:
> Exactly Abbas, good and informative points. The Ajax information was new to me. I didnt know using Ajax techniques affects performance.
> 
> As for validation, I am backing Abbas's comment that everything should be validated in server and I think that is a requirement as many browsers and add-ons automatically disable JS for all applications except a few. So, with JS disabled, its only the server that stands in between.
> 
> 
> On Tue, Sep 10, 2013 at 9:15 AM, Abbas Naderi <abiusx at owasp.org> wrote:
> Hi Shivam,
> First of all, such attacks are found regularly on facebook and all other major websites. I worked in a team that reported these attacks weekly.
> 
> Second, performance is not an issue for system with security in mind. For a corp like facebook (or any other), performance is just increasing the size of their cloud infra, and its easily affordable. Security is the loss of all their reputation and data, it is not affordable.
> 
> Third. as for validation, if you google it my answer is there in StackOverflow, but the right approach is, javascript validation is only for the sake of user ease. Anything you validate in JS, you can tell your user about it without having them to wait for a request/response. Everything should be validated at server side, and you can move those validations to client-side as well.
> 
> Now some lazy ugly frameworks (Such as .NET) merge them by ajax callbacks to the server. That really hurts the performance of both the server and the application. There are frameworks that automatically convert server-side validations to javascript ones, but they can't do anything about logical checks (e.g if a username is available or taken).
> 
> Thanks
> -Abbas
> ______________________________________________________________
> Notice: This message is digitally signed, its source and integrity are verifiable.
> If you mail client does not support S/MIME verification, it will display a file (smime.p7s), which includes the X.509 certificate and the signature body.  Read more at Certified E-Mail with Comodo and Thunderbird in AbiusX.com
> 
> On Sep 9, 2013, at 10:58 PM, Shivam Dixit <shivamd001 at gmail.com> wrote:
> 
>> Hello folks,
>> 
>> You all must be aware of the recent loopholes discovered in facebook. In case you are not, there were two major issues that were put forward. First, anyone can post on any other person's wall (even if you are not friend with that person) and second, you can delete any photo (even zuckerberg's) !! 
>> 
>> After going through the description video of both the attacks I figured out that exploits were possible just because the content received at server end was not validated. They were relying on "hidden" input fields and query strings. Attacks were performed just by manipulating these fields.
>> 
>> I read somewhere that sever load should be minimized by validating user's input at client side. But in application like facebook, a user makes hundreds of request to server, so is it necessary to validate all those request? For example, I am using JS Regular expressions to check if user's input is of required format or not but before inserting it in database do I need to re validate it server side because attacker might trick JS ? Will it not affect performance of application as both client side and sever side validation will take place? 
>> 
>> My question is, what is the correct/standard method for validation ? Client side or server side or both ?
>> 
>> -- 
>> Cheers,
>> Shivam
>> _______________________________________________
>> OWASP_PHP_Security_Project mailing list
>> OWASP_PHP_Security_Project at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp_php_security_project
> 
> 
> _______________________________________________
> OWASP_PHP_Security_Project mailing list
> OWASP_PHP_Security_Project at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp_php_security_project
> 
> 
> 
> 
> -- 
> Regards,
> Rahul Chaudhary
> Ph - 412-519-9634
> 
> 
> 
> -- 
> Cheers,
> Shivam

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp_php_security_project/attachments/20130910/47a17c61/attachment.html>


More information about the OWASP_PHP_Security_Project mailing list