The Web Application Hacker’s Handbook Discovering and Exploiting Security Flaws

Download 5,76 Mb.

Pdf ko'rish

bet	225/875
Sana	01.01.2022
Hajmi	5,76 Mb.
	#293004

1 ... 221 222 223 224 225 226 227 228 ... 875

Bog'liq
3794 1008 4334

Transmitting Data via the Client

Many applications leave themselves exposed because they transmit critical

data such as product prices and discount rates via the client in an unsafe

manner.

If possible, applications should avoid transmitting this kind of data via the

client altogether. In virtually any conceivable scenario, it is possible to hold

such data on the server, and reference it directly from server-side logic when

128

Chapter 5

■

Bypassing Client-Side Controls

70779c05.qxd:WileyRed 9/16/07 5:14 PM Page 128

needed. For example, an application that receives users’ orders for various dif-

ferent products should allow users to submit a product code and quantity, and

look up the price of each requested product in a server-side database. There is

no need for users to submit the prices of items back to the server. Even where

an application offers different prices or discounts to different users, there is no

need to depart from this model. Prices can be held within the database on a

per-user basis, and discount rates can be stored in user profiles or even session

objects. The application already possesses, server-side, all of the information it

needs to calculate the price of a specific product for a specific user — it must,

otherwise it would not be able, on the insecure model, to store this price in a

hidden form field.

If developers decide they have no alternative but to transmit critical data via

the client, then the data should be signed and/or encrypted to prevent tam-

pering by the user. If this course of action is taken, then there are two impor-

tant pitfalls to avoid:

■■

Some ways of using signed or encrypted data may be vulnerable

to replay attacks. For example, if the product price is encrypted

before being stored in a hidden field, it may be possible to copy the

encrypted price of a cheaper product, and submit this in place of the

original price. To prevent this attack, the application needs to include

sufficient context within the encrypted data to prevent it from being

replayed in a different context. For example, the application could con-

catenate the product code and price, encrypt the result as a single item,

and then validate that the encrypted string submitted with an order

actually matches the product being ordered.

■■

If users know and/or control the plaintext value of encrypted strings

that are sent to them, then they may be able to mount various crypto-

graphic attacks to discover the encryption key being used by the server.

Having done this, they can encrypt arbitrary values and fully circum-

vent the protection offered by the solution.

In applications running on the ASP.NET platform, it is advisable to never

store any customized data within the ViewState, and certainly never anything

sensitive that you would not want to be displayed on-screen to users. The

option to enable the ViewState MAC should always be activated.

Download 5,76 Mb.

Do'stlaringiz bilan baham:

1 ... 221 222 223 224 225 226 227 228 ... 875