domingo, noviembre 05, 2006

Inyección de código explicada

Jonathan Read y Seth Fogie, en Informit, dentro de su Security Resource Center, describen lo que es code injection:
Code injection is a way to place software code into a computer system or program by exploiting unchecked assumed inputs. When a program assumes only a certain input will occur and does not protect against different inputs being made, problems can occur. Code injection provides a way for hackers to gain access to data, modify data and corrupt code that they normally could not affect.
Cómo pueden pesar presupuestos y descuidos en el diseño:

Wikipedia has a great list of dangerous assumptions made by software developers. They are as follows:

  • assuming that metacharacters for an API never occurs in an input
  • assuming punctuation like quotation marks or semi-colons would never appear
  • assuming only numeric characters will be entered as input
  • assuming the input will never exceed a certain size
  • assuming that numeric values are equal or less than upper bound
  • assuming that numeric values are equal or greater than lower bound
  • assuming that client supplied values set by server (such as hidden form fields or cookies), cannot be modified by client. This assumption ignores known attacks such as Cookie poisoning, in which values are set arbitrarily by malicious clients.
  • assuming that it is okay to pick pointers or array indexes from input
  • assuming an input would never provide false information about itself or related values, such as the size of a file (*).

Software developers need to be very aware that not everyone will use their software as intended. They also need to be aware that even accidental code injection can take place. Accidental code injection can occur when someone uses characters such as quotation marks and punctuation in their name. A user could accidentally corrupt a whole database without realizing it. Software that is vulnerable to accidental bugs like this should never be used. It could never withstand a deliberate attack by a proper hacker.

Remito al corto artículo y su ejemplo para el caso.

En el marco de mi uso de Plex, una de las razones de apoyarme en los patrones de Websydian para el diseño web, es que los patrones de despacho de solicitudes de páginas incluyen rigurosamente, entre otros aspectos de control de seguridad, el control de code injection, de una forma tan simple como lo es heredar de un patrón. Pero esto es materia de otra nota...

No hay comentarios.: