Friday, March 03, 2006

Security Rant

Just a quick note on security while it is in my head

1. Use an accept list instead of a deny list.
i.e. use a regular expression that matches [A-Za-z0-9]
vs. ![/*.()<>\......]

if you miss one character then your validation is useless. The first validation allows only alphanumeric characters. All else are excluded by the rule.

Microsoft had this issue with IIS 5 (I beleive) in that people were exploiting it by using the urlencoded values to do directory transversal i.e.\windows\system32\command\cmd.exe
(now that is from memory so don't shoot me)

If the processor only accepted .. instead of %2c things would have been good

(note that having %2c is valid so it should have been decoded to a . before it was validated instead of after but that would ruin my example)

2. Fail closed!
I can not stress this enough. If something goes wrong... shut down! fail! throw a billion exceptions.

My best example is a firewall. If an unexpected action occured in the firewall what should be done:
1. Crash and leave all ports open
2. Crash and close all ports cutting off any legitimate services

Ok one impacts people connecting but it SHOULD! they will tell you and then you know there is an issue and you can fix it. By failing open in this case you might not know for months that your firewall is not working as no one has complained.


Post a Comment

<< Home