WebApp Sec mailing list archives
Re: ISA Server and SQL Injection
From: Paul Johnston <paul () westpoint ltd uk>
Date: Wed, 23 Feb 2005 14:20:36 +0000
Mark, Thanks for sharing your thoughts.I think what you're saying boils down to "just get the code right". Well, sure, if everyone did just get the code right then we wouldn't have these problems. But the point of defence in depth is to design a system that is secure, even if a few coding errors have been made. With this in mind, app firewalls are a useful part of the arsenal. On a practical level, doing this gives more security than expending equivalent effort just on auditing the code.
The current ones perhaps, but that's not an inherent limitation. Just like TCP/IP firewalls have become stateful, so will application firewalls. Say the field is "basketid", the app firewall starts by blocking ALL values of that. When a user requests a page with a link to a valid basketid for that user, the app firewall statefully adds that id to the whitelist for just that user. This way, if the parameter is vulnerable to tampering (e.g. it's sequential) the app firewall provides further protection.They have no hope whatsoever to protect a web application where sayswitching a name value pair gives you another persons account.
Ideally, the back-end application protects this by using 128-bit random numbers as IDs. The front-end app firewall provides further protection. Now, if EITHER of these protections fail, the resulting system is still secure.
Regards, Paul -- Paul Johnston, GSEC Internet Security Specialist Westpoint Limited Albion Wharf, 19 Albion Street, Manchester, M1 5LN England Tel: +44 (0)161 237 1028 Fax: +44 (0)161 237 1031 email: paul () westpoint ltd uk web: www.westpoint.ltd.uk
Current thread:
- Re: storing SSNs, CCNs, password in the DB, (continued)
- Re: storing SSNs, CCNs, password in the DB Francesco (Feb 28)
- Re: storing SSNs, CCNs, password in the DB Andrew van der Stock (Mar 01)
- Re: storing SSNs, CCNs, password in the DB Paul Johnston (Mar 01)
- Re: storing SSNs, CCNs, password in the DB Joseph Miller (Mar 01)
- Re: storing SSNs, CCNs, password in the DB Alvin Oga (Mar 01)
- Re: Solutions, Results, and Comments - Was [ISA Server and SQL Injection] Jeff Williams (Feb 28)
- Re: Solutions, Results, and Comments - Was [ISA Server and SQL Injection] Jeremiah Grossman (Mar 01)
- Re: Solutions, Results, and Comments - Was [ISA Server and SQL Injection] Jeff Williams (Mar 01)
- Re: Solutions, Results, and Comments - Was [ISA Server and SQL Injection] Jeremiah Grossman (Mar 01)
- Re: Solutions, Results, and Comments - Was [ISA Server and SQL Injection] Jeff Williams (Mar 01)
- Re: ISA Server and SQL Injection Paul Johnston (Feb 23)
- RE: ISA Server and SQL Injection Mark Curphey (Feb 23)
- Re: ISA Server and SQL Injection Paul Johnston (Feb 23)
- RE: ISA Server and SQL Injection Mark Curphey (Feb 23)
- Re: ISA Server and SQL Injection Paul Johnston (Feb 28)
- Re: ISA Server and SQL Injection Stephen de Vries (Feb 28)
- Re: ISA Server and SQL Injection Jan P. Monsch (Mar 01)
- Re: ISA Server and SQL Injection christopher (Mar 03)
- Re: ISA Server and SQL Injection Jan P. Monsch (Mar 03)
- Re: ISA Server and SQL Injection Paul Johnston (Mar 03)
- Object Caching with IE 6 XP SP2 Don Tuer (Feb 28)