- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
But if I don't tell him that that's the problem, maybe he'll think I have his IP black listed and try he same request from a different IP. Maybe he'll think we caught him because he sent requests too fast, and he'll try to space out his hack attempts. Maybe he'll think he has the table or database name wrong, etc etc. Sure, he might guess right away that the problem is that we're catching SQL injection. But he might not. Why help him out?
Admin
No reason for it to be even that hard. Jus include some standard security questions. I'll bet lots of people give the same answer every time when asked "In what city were you born?" or "What was the name of your first pet?" Collect those answers, then go to some random sites, try the same user id, tell them you forgot your password, and there's a fair chance they'll ask you one of these security questions that you now know the answer to.
Admin
In America? She can sue you. At the very least, she can complain to the boss and you lose your job. Or she can post pictures on the web and make your boss nervous and you lose your job.
Sure. In my humble opinion, there's a big difference between, "I am offended because he screamed obscenities in my face", or "I am offended because he deliberately insulted me", and "I am offended because he expressed a political or social opinion that I disagree with." Especially when the latter is followed by demands that people who express such opinions be censored.
Admin
The theory is that if your computer is in some place where it might be accessible by other people, like your office or a library, that if you forget to log out when you walk away, they minimize the window of opportunity for a stranger to walk up and access your information, bank account, whatever.
Admin
I think you're confused about the difference between levels and domains of errors.
HTTP status codes are for errors in communications and security. There are codes for things like "header too long" and "timeout expired". These codes are not appropriate for application errors. There are no codes for "the product you are ordering has been discontinued" or "vorpal swords are ineffective against monsters with a magic level greater than 9".
Suppose you sent a letter to a company using snail mail. The postal service might return the letter with a postal-service stamp on it for problems like "invalid zip code" or "moved -- no forwarding address on file". But you wouldn't expect the post office to have a stamp for problems like "we're sorry, you're warranty has expired" or "we have already filled the position you are applying for". You'd expect the company to send you a reply that describes the problem, but that's not in the same category as the sort of problems that the postal service deals with. We're at a different level, like data vs metadata.
Admin
Admin
Uhhh.......no.
Put it in terms of speaking a language. If I told you to go jump off a bridge, it's valid English. The HTTP codes are meant to handle things like invalid English spelling/grammar, so they do not apply here. Even though you (analogous to the server) object to the content of the message, it's still valid.
Admin
[quote user="chubertdev"]Uhhh.......no.[quote]
No? Cite me something from RFC 2616 that supports your view and contradicts mine.
If you told me to go jump off a bridge, it is certainly possible but not very logical for me to respond "OK, I accept your request for me to jump off a bridge" and then not do it. It is far more logical for me to say "no, I do not accept your request for me to jump off a bridge." In your analogy, the "server" is not merely the portion of the brain dedicated to parsing speech; it also includes whatever area(s) responsible for delivering to you my response. In between my hearing and understanding what you've said and my giving you an answer, there's a decision made about whether to accept or reject your request, and that decision is wholly (not partially) relevant to whatever response I give you. One more quote from 2616: "The Status-Code element is a 3-digit integer result code of the attempt to understand and satisfy the request." Emphasis mine. Note that "understanding" a request is specifically not sufficient on its own.
An HTTP status code should be consistent with the disposition of the request. I'm not sure why that's in the least controversial. I guess it's just easier to let 200 go through no matter what, since it's generally the default and there's hardly ever a negative consequence for doing so. But don't confuse your laziness with correctness.
Admin
Bastardizing standards is most certainly NOT the proper way to do security. Code 404 has a very precisely defined meaning which this case does not meet. It's NOT the same thing as not specifying which credential was wrong.
Admin
400 is imo not correct, since the definition of it is very specific towards not being able to understand the request. The server/application understood it, but it just wasn't good enough. 403 is more along the lines of "you as a person are not allowed to do this" rather than "your input is incorrect" 404 feels really weird for me in this context. The request-uri (I don't consider the post-body to be part of the request-uri) was perfectly understood and the resource was available. The other 4xx's are very HTTP-specific and/or are not appropriate either.
I agree that none of the 5xx's are valid, this code is clearly expecting these kinds of inputs. It just refuses to fully process the data. If there was no SQL-injection prevention and some input would cause a SQL-statement to fail, than you could throw a 500.
If you define a CMS edit form more like something like this: "please validate this content and if you agree that it fits, update/insert the specified record" than a 200 is perfectly valid. The request is received, its processed and turns out to be something that needs a bit more work before it can actually be stored... And a 200 is a valid choice for a response code.
Since these kinds of web forms are generally only used by actual people, the specific response code is not very interesting anyway. If you're designing for applications, the correctness of each part of a request is much more important.
Unfortunately, there is no response code specification for a "The request was perfect HTTP and pointed to a resource that was able to process it, but we just don't want to do that for a very domain specific reason.". In RFC 4819 you have the 422 which is actually the most correct, so if you assume that thats not just for WebDAV you should respond with a 422 :)
Admin
...or connect both of them together >:)
Admin
The problem isn't security by obscurity here; the problem is abuse of HTTP status codes. What's the point in even having them if nobody actually uses them for their intended purpose?
Admin
So your view is that the government needs to be intentionally inefficient? You must own shares of some government contractors....
Admin
It could be argued that the request was received, understood, and processed; and the result of that processing was to not do anything. I mean, the code worked as expected, right? If you click the 'cancel' button on a form, shouldn't that return 200? Just because the server doesn't change anything doesn't necessarily mean the request wasn't accepted.
I mean, it's kind of a stupid argument, but it's got some validity....
Admin
I don't agree that 400 is "too specific." If a user agent does not understand some other 4xx code it is required to interpret it the same as 400. By definition, then, 400 must be the least specific code that indicates a problem (of some kind) with the request.
I don't understand how you can not consider the POST body part of the request-URI. It's right there in 2616. It's black and white in section 9.5, read it yourself.
I don't agree that the submission of content to a "CMS edit form" is supposed to be provisional in any way. If you thought there was a problem with the content, then presumably you wouldn't submit it! What you're talking about here sounds more like 202 Accepted, where the server says, "I've accepted your input but I'm not sure yet if it's OK, you should check back again later." Note, too, that the discussion of 202 (section 10.2.3) talks about e.g. batch jobs that will occur later, strongly implying once again that the status of an HTTP response is intimately connected to the result of whatever action the server was asked to perform. In this case, the server doesn't know the result yet, and responds with 202 to indicate that fact--NOT 200! That also implies that if the server knows that a request is not acceptable or satisfiable, then there is no justification for returning 200.
I agree that the status code is of minimal importance for an interactive session, and that's why you can get away with sending 200 all day long and nobody cares. But the "who cares, doesn't matter" argument isn't terribly convincing to me.
Remember that a "resource" (again, as defined by 2616) includes all the information in the query string or POST body! So there are, in fact, a plethora of response codes that deal with these situations. It just requires acknowledging the difference between what you think constitutes a resource and what 2616 says constitutes a resource.
Admin
It's a stupid argument since he's obviously just trolling.
Admin
I worked on a site where hacking attempts would return a 503 so that the hackers would think they brought your site down. And it would return THEM a 503 for a timeout period, so it looked like an easy target. The idea was that they would think they succeeded and move on while everyone else was using the site just fine.
And according to the logs, it actually looked to be surprisingly effective.
Admin
Am I the only one with magical things happenning after clicking the word 'protection' in the article (the one right before the code)?
Admin
Well, the real WTF is not the error, its that the "injection protection" would not prevent all injections.
For example there is a way to inject into login forms that for many databases would get you logged in to the first account in the database.
Usually that is one with some administrative permissions ;)
And it does not match any of those examples.
I will not repeat the example here since there are to many still vulnerable pages out there :(
Admin
TRWTF is urldecoding before checking for SQL injections... FAIL!
Admin
When I read that (and I'm not a native English speaker, so that may not help), I interpret that like send a 400 in a case like this: "GETT /somepage HTTP1.1"
I.e. syntax errors in the HTTP-request, not in aspects that are valid HTTP but just not valid for the application itself.
Apart from that, I don't see any indication that 400 is the most basic 4xx and should therefore be a last resort code of sorts. But there is an indication that any 4xx should be treated as a error with the request as supplied by the client (whereas 5xx is a error outside the scope of the client).
That's not how I read it...This is in 9.5, http://tools.ietf.org/html/rfc2616#section-9.5
The bold is mine, which clearly suggests there is a Request-URI and whatever is in the POST-body will be the contents of a new entity not yet in the system. In practice I doubt many will take the trouble to differentiate between POST for new entities and PUT for changes or that a POSTed entity will be a direct subordinate of the request uri... But still, I don't see anything in that section 9.5 that suggests the body of the POST (or PUT) is part of the Request-URI.As I understand it - and just now again read it - (see section 3.2 and 5.1.2) the URI is basically the thing you see in your browser's uri bar.
The body of POST and PUT are about the contents of the entity represented by the URI (or created newly as part of the response).
That probably really depends on the form and workflow surrounding that form. I'm fairly certain that users will "abuse" the server side validation of forms in various scenario's to see if the server "will finally accept" the new version of the contents ;) Whether that should result in a 2xx or a 4xx is of course the whole debate here... But I have yet to find a suitable response code (apart from the 422 in WebDAV). 202 suggests the response will be act upon some time in the future. It does not imply the user should issue a new request for that to happen. Well, I just reread it. See section's 3.2 and 5.1.2 for yourself and re-read 9.5 while your at it. The query string is part of the Request-URI, as is the hostname, the schema, the port number and the path (and I probably forgot a few)... But the request's body is by defintion not part of the Request-URI. The body indicates what should be done with or by the requested entity.And if you really want to read more about URI's, als read http://tools.ietf.org/html/rfc3986
Admin
A 404 is a great way to get the automated attack scripts to go away. If for some bizarre reason there was a code "503 SQL injection detected" it would be stupid to use it.
The only WTF here is their SQL Injection detection. The usual prepared statements type methods would be best but to detect and then 404 an attack as well as to later harden the actual SQL query would be great security.
They just need to make sure they are detecting an attack not a valid query.
So I would say their attack detection needs some fixing.
Admin
"If you detect a condition that you think means that someone is trying to hack your site, you block the request and give them the minimum amount of information as to how you knew they were hacking." ... which is great so long as you don't care that you're causing real users to rip their hair out. I think we should start with compilers; if it thinks that the programmer is trying to put a back door in (by whatever heuristics), they should silently reject the program without error message.
"If you catch a thief trying to break into your warehouse" the way that computer programs do, you'd quickly get fired after you sent your CEO to the police station in handcuffs. The first thing you do is make sure the person is a thief and not someone who was supposed to be there and just didn't give the right security handshake.
Admin
It is my understanding that HTTP error codes should indicate errors on HTTP level, that means that a web server should return 4xx responses when it can't understand the request at all (400 Bad Request: The request cannot be fulfilled due to bad syntax.).
In this case, the error is in the application layer, so ordinary 200 OK response (there was no error in the HTTP processing) is in order with a friendly error message telling the user that the SQL injection protection is pretty stupidly implemented.
Admin
Ha,
Have you heard the SecondLove story?
SecondLove is a Dutch dating site for people who want to cheat on their partner
The website also responded to a wrong password with the text "Wrong password".
So entering an email address was enough for somebody to know their partner was a member of the site.
Admin
Something can't be wrong and justified at the same time. Secondly, it's an idiotic question. "What unforeseen problems do you foresee?" It's unanswerable.
Admin
Worrying that the front end was sending SQL at all! (Or strings that will end up in SQL). We have at least parameterised queries, if not proper business logic and domain mapping nowadays.
And security by blocking known bad is not as reliable as security by enforcing known good. You may find there's some unknown bad you'd not thought about.
Admin
This does not exist so far, but there is one that comes close and it was already suggested by some other commentors: 418.
Admin
I'd suggest to use 6xx for failures due to programmers and 7xx for failures due to management. (Maybe 7xx to 9xx?)
This would let us define 666 - BOFH style code has been executed. Clients SHOULD attempt to execute anything in the response they identify as possible code.
(I'd have ideas for several other possible codes, too.)
But what should we do if the user orders a cup of tea after receiving this code?Admin
All right, I'll give you that: My postal service analogy is flawed in that the application -- in the analogy, the recipient of the letter -- may be involved in deciding what status codes to return.
Still, that doesn't change my main point: that the types of conditions indicated by status codes are not in the same category as "no such part number".
What HTTP status code would you return with such a message? There is no error code for "no such part number". How could there be? How could the w3c create status codes for all the possible error conditions that any application might generate?
And what would be the point? HTTP status codes are messages to the user agent, i.e. the browser, etc, not the human user. What would a browser do differently for "invalid part number" than it would do for "here's the current stock quantity of that part"?
I suppose we could create a code for "there was an application-level error in your request, such as a required field missing or a field value not found in the database". But there is no such code now, and it's not at all clear what the value of such a code would be.
Admin
An extreme example, but exactly my point. We want to be careful about divulging private information in the course of telling people that they are not authorized to see this information. It's like those jokes along the lines of, "The boss ordered me not to tell you that he really is in his office but he just doesn't want to speak to you now."
Admin
If the CEO tries to get into the warehouse but he has forgotten his ID card, and the guard at the door has never seen the CEO before and so does not recognize him, should the guard just let him in because he says, "Hey, I'm the CEO"? If I was the CEO, I'd fire such a guard for extreme stupidity.
OF COURSE we don't set up a security system where if someone puts the wrong key in the lock it automatically opens fire on him with machine guns. Yeah, someone might try the wrong key by mistake. But if he uses the wrong key, we don't let him in either.
OF COURSE security systems have to balance keeping unauthorized people out with a minimum of inconvenience to authorized people. Sure, I've used systems that forgot about the "minimum inconvenience" part.
Admin
And the reason lies in hashing passwords plus salting them, so the server can't possibly tell us which part of the password is wrong and if the length is correct, right?
Other than that "Security through obscurity" is a failed approach, since it tends to make people believe, that they can make their unsafe system safe by simply telling no one that it's not safe.
It's like not locking your car and then not telling anyone that you didn't lock. But you shouldn't be surprised if it's gone anyway when you return.
Admin
Admin
I don't expect my car to be stolen if I leave it unlocked...
Admin
And someone who creates an unsecure system doesn't expect to be hacked.
Admin
400 is also not the right status since the request is valid from an HTTP point of view. I'd vote for either 403 or 204.
Admin
I think that you're missing the point. Stuff from the car may be stolen. But I still have the keys, so the car's not going anywhere without a tow truck.
Admin
Definitely. 403 might have been suitable as well.
Admin
You know what's really amazing?
It's 2013, I've been dealing with this crap for well over a decade, it was trivial to solve then, it's been solved over and over, and STILL TO THIS DAY there aren't BIG FRIGGEN WARNINGS all over documentation like PHP's pg_query about how using pg_query directly is a REALLY BAD IDEA and that you really should use an API that has some protection built in....
http://www.php.net/manual/en/function.pg-query.php
Admin
But why hasn't intellisense capitalised stuff?!
Admin
Actually, a 404 may be the right thing for security purposes. SQL injection is an attack, so there is no real need to "play nice" and follow protocol. If an attacker is trolling your site with SQL injections, getting back a 500 gives them valuable information: that your site has a page there and it's worth the attacker paying special attention. Returning a 404 doesn't give the attacker any free info as to which URLs are crackable and which aren't.
Admin
That's not true, 500 would be more appropriate. The client did not intend to do a SQL injection, so it ís an application bug on the server end and therefore a server issue. The application should have handled the string better to make sure its inserted into the database safely, not simply reject it.