Bugtraq mailing list archives

Re: Intresting case of SQL Injection

From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Sat, 06 Dec 2003 11:38:47 +1300

Sys Sec <syssec () sysigsa com> wrote:

<<snip>>

Normally you verify data with Javascript in Client ...


I just _love_ seeing this kind of advice...

NOT!

It amounts to you (or your even more security-ignorant client) 
effectively saying to your clients (or to the clients of your even more 
security ignorant client) "we know better than you about how to secure 
_your_ client computers and thus you should trust our judgement that it 
is safe for you to enable JavaScript in your web browser despite you 
having no frigging idea at all who we are, where this code is actually 
hosted, whether the sysadmins of the hosting servers have two clues 
about securing their machines and so on".

Please _stop_ thinking it is reasonable to assume you can make such 
decisions for folk.  Just because the braindead default configuration 
of popular browsers is "ream me seven ways to Sunday" (also known as 
"multiply the effect of many security flaws in this browser several 
fold by enabling JavaScript") does not mean you should assume 
JavaScript is available, and if your web pages should happen to be 
rendered on a sensibly configured machine, fercrissakes do not assume 
you know better than the person who set the machine up -- in such cases 
the odds are not that they are running some ancient or otherwise non-
scripting client version but that they know a lot more than you about 
the acceptable security exposure of _that machine_.

... but you must verify data
in file that receive POST Form. In the file that receive the POST data you
can use these functions.


Exactly.  The input can be delivered to your server-side app through 
all manner of other channels than your client-side code, so why even 
bother thinking about designing, writing, debugging and maintaining 
client-side sanity-checking code?  The odds -- from a huge repository 
of popular and widely deployed web apps -- that the programmer or team 
behind the app is too retarded to understand the security implications 
of _just_ the server-side of the app, so they should concentrate on 
getting that part better and maintaining that rather than trying to 
dictate their security policies to the clients of the web app.


Regards,

Nick FitzGerald

Current thread:

Intresting case of SQL Injection Martin Sarsale (runa@sytes) (Dec 04)
- Re: Intresting case of SQL Injection Markus Fischer (Dec 05)
- <Possible follow-ups>
- Intresting case of SQL Injection Sys Sec (Dec 05)
  - Re: Intresting case of SQL Injection Nick FitzGerald (Dec 05)
- RE: Intresting case of SQL Injection Scovetta, Michael V (Dec 05)
  - Re: Intresting case of SQL Injection Florian Weimer (Dec 05)