23 October 2009

Poisoning

Posts relating to the category tag "poisoning" are listed below.

23 October 2009

Clocks go back this weekend

This weekend the clocks change as we revert from British Summer Time (BST) to Greenwich Mean Time (GMT) at 02:00 BST on Sunday 25 October 2009 and the clocks go back, giving an extra hour.

What does this mean for web site security? Does running 01:00 to 02:00 twice matter? Well some brave web application owners will be disabling their systems like this online bank:

Partial screen capture of a web page notification message saying 'Important information regarding Internet Banking - Please note that the Internet Banking service will be temporarily unavailable due to essential maintenance from 12am until 3am on Sunday 25th October 2009. We apologise for any inconvenience this may cause.'

And, I don't think it's just being done as a finale to the current Energy Saving Week. Most people, quite rightly, won't be taking this rather severe step. Another millennium bug anyone? The date/time should be considered rather like other untrusted user input. Most problems will probably fall into the "business logic" category such as:

  • Failure of time-based logic where dates are being compared.
  • Assumptions of uniqueness in time-stamped output (e.g. by a single-threaded process).
  • Running tasks again leading to possible:
    • loss of data due to overwriting
    • duplication of exports or emails
    • creation of inaccuracies in management information.
  • Chronological ordering anomalies leading to other faults.

It's not just banks and other financial organisations that may have difficulties.

Partial screen capture of a web page notification message saying 'Whats New ... Website Downtine - The website will be unavailable on Sunday 25 October 2009 and for a short period of time on the evenings of Friday 6 November 2009 and Sunday 8 November 2009 for essential maintenance. Please accept our apologies for any inconvenience.'

The time change may expose some other vulnerabilities that only exist at changeover time and/or during the next overlap hour.

  • Circumvention of brute force attacks on user authentication mechanisms.
  • Increased risk due to extension of a session's validity where local time is recorded.
  • Failure in data validation routines for time-related comparisons.
  • Incubated vulnerabilities where a time-related aspect causes the attack to be possible.
  • Denial of service due to extension of account lock-out.
  • Using time as a loop counter.
  • Additional errors caused by any of the above leading to information leakage.

Recording the offset of local time to GMT/UTC and synchronisation should certainly be done, but may not resolve the time overlap issues. The effects on long-running "saga" requests might be especially difficult to determine. Time dependencies need to be specified and considered through the development lifecycle. Perhaps the bank is right after all?

Partial screen capture of a web page notification message saying 'Alcohol & Tobacco Warehousing Declarations (ATWD) ... Saturday 24 October 23:30 – Sunday 25 October 03:30 ... Due to essential maintenance customers will experience a delay in receiving their online acknowledgement to submissions made using our HMRC and commercial software between 23:30 on Saturday 24 October and 03:30 on Sunday 25 October. Your acknowledgement will be sent once the service is restored. Please do not attempt to resubmit your submission. We apologise for any inconvenience this may cause. '

Posted on: 23 October 2009 at 08:41 hrs

Comments Comments (0) | Permalink | Send Send

28 April 2009

Data Quality

Data quality is often neglected. Do you know what data you have, where it came from, what constraints there are on its use and where it all is? But what about its quality?

Last week, Philip Virgo discussed data quality in When IT Meets Politics. He referred to the Audit Commission report on Figures You Can Trust (Briefing on Data Quality in the NHS). Data quality is an ongoing issue and the report summary states:

Quality cannot be effective as the organising principle of the NHS without good data to underpin it.

Interestingly the Audit Commission found the error rate in a key data set for NHS activity varied from 0.3 per cent to 52 per cent.

Philip Virgo discusses the importance of data quality and what information governance is:

Security and protection are not objectives. They are core parts of the quality control process, alongside checking for accuracy.

Do you know how accurate your own data are?

Posted on: 28 April 2009 at 08:35 hrs

Comments Comments (0) | Permalink | Send Send

21 November 2008

Free Text Form Field Data Validation

Input data validation is a fundamental practice that web applications need to get right to protect users, their data, your data and your web site. But free text entry fields in web forms can be problematic - we all make mistakes, misread the instructions, type in the wrong fields, avoid filling in the mandatory items and so on. But how should the web application respond to these?

Users can submit data to web applications in many ways - file uploads, page requests, URL parameters, form parameters, file uploads, request headers, cookies and so on, but it is in conventional forms where we need to be somewhat lenient in how we respond to data validation issues.

Form data must be checked for integrity, business rules and validity of the following:

  • Required (whether the field must be submitted, not null)
  • Type (e.g. positive integer, text string, date, true/false boolean)
  • Length/Range (e.g. numerical limits, number of decimal places, length of text, applicability of a date)
  • Format (e.g. DD/MMM/YYYY for a date, international format for telephone numbers, allowed/disallowed characters)
  • Character encoding/character set.

HTML forms allow radio buttons, checkboxes and drop down lists where the value(s) meant to be submitted are predetermined. In these cases it is reasonable that some of these failures are likely to be caused by malicious users tampering with values, or some fault in the application itself.

But what about text fields where users can enter any value in free format? I mentioned in Separate the Text from the Code a posting elsewhere about the display of form entry error messages. At what point to you reject the user input completely as malicious?

You may have mechanisms looking for dangerous input such as custom application code, an application filter module, security settings in your web server software or a web application firewall. If a user accidentally or without malice types text that could be construed as malicious because it matches a signature for something like cross site scripting or SQL injection, when they submit the form they could be presented with something much less friendly. This could occur if the control points are set to intervene rather than simply monitor, and so the 'friendly' message will never appear and they will see something else, like these three examples:

Partial screen capture of page showing message 'Error: Invalid Request' when some potentially malicious input was submitted in a form field. Partial screen capture of page showing message 'Forbidden - You do not have permission to access this document' when some potentially malicious input was submitted in a form field. Partial screen capture of page showing message 'Request validation error' when some potentially malicious input was submitted in a form field - the page also includes details of the script path, ASP.NET version, a full stack trace and information for the developers on how to suppress the message.

So be wary about validation and active blocking. In some cases, user data should be accepted and then sanitised before explaining the problem and possibly re-displaying their data appropriately encoded. The problem might be as simple as putting an item of text in a date field, or using an "incorrect" date format. If the filtering mechanisms are too strict, the usability of the application will be much degraded.

For each item of user input, try to identify:

  1. What is allowed to be received by the web application for each field
  2. Exact validation rules before the application can use, store or transmit the data value
  3. Which control points will be checking and enforcing these
  4. The sensitivity of the values
  5. How the data will be used subsequently
  6. How the data values should be encoded when output.

In some cases nos. 1 and 2 will be the same, but more often they will be different. Build these into your application test cases.

After all, some people live near "Alert Street" and "Script Drive":

Partial screen capture of M&S store finder search results page showing two stores for a search term including script tags - one on Alert Street and one on Script Drive.

For more information on integrity checks, validation and business rules, see data validation from OWASP's Development Guide. I'll discuss client-side validation, whitelisting and blacklisting in future posts.

Posted on: 21 November 2008 at 12:55 hrs

Comments Comments (0) | Permalink | Send Send

Poisoning : Web Security, Usability and Design
http://www.clerkendweller.com/poisoning
ISO/IEC 18004:2006 QR code for http://clerkendweller.com

Page http://www.clerkendweller.com/poisoning
Requested by 38.107.191.117 on Thursday, 11 March 2010 at 14:35 hrs (London date/time)

Please read our terms of use and obtain professional advice before undertaking any actions based on the opinions, suggestions and generic guidance presented here. Your organisation's situation will be unique and all practices and controls need to be assessed with consideration of your own business context.

Terms of use http://www.clerkendweller.com/page/terms
Privacy statement http://www.clerkendweller.com/page/privacy
© 2008-2010 clerkendweller.com