Sharkmedia - Site Articles - Raw
Sharkmedia - Site Articles - Raw
Sharkmedia - Site Articles - Raw
This is a nice example of a confused deputy attack whereby the browser is fooled by
some other party into misusing its authority. A 3rd party site, for example, can make
the users browser misuse its authority to do something for the attacker.
In the case of CSRF, a 3rd party site issues requests to the target site (e.g., your
bank) using your browser with your cookies / session. If you are logged in on one
tab on your banks homepage, for example, and they are vulnerable to this attack,
another tab can make your browser misuse its credentials on the attackers behalf,
resulting in the confused deputy problem. The deputy is the browser that misuses
its authority (session cookies) to do something the attacker instructs it to do.
Consider this example:
Attacker Alice wants to lighten target Todds wallet by transfering some of his
money to her. Todds bank is vulnerable to CSRF. To send money, Todd has to access
the following URL:
http://example.com/app/transferFunds?
amount=1500&destinationAccount=4673243243
After this URL is opened, a success page is presented to Todd, and the transfer is
done. Alice also knows, that Todd frequently visits a site under her control at
blog.aliceisawesome.com, where she places the following snippet:
<img src="http://example.com/app/transferFunds?
amount=1500&destinationAccount=4673243243" width="0" height="0" />
Upon visiting Alices website, Todds browser thinks that Alice links to an image, and
automatically issues an HTTP GET request to fetch the picture, but this actually
instructs Todds bank to transfer $1500 to Alice.
Incidentally, in addition to demonstrating the CSRF vulnerability, this example also
demonstrates altering the server state with an idempotent HTTP GET request which
is itself a serious vulnerability. HTTP GET requests must be idempotent (safe),
meaning that they cannot alter the resource which is accessed. Never, ever, ever
use idempotent methods to change the server state.
Fun fact: CSRF is also the method people used for cookie-stuffing in the past until
affiliates got wiser.
Prevention: Store a secret token in a hidden form field which is inaccessible from
the 3rd party site. You of course always have to verify this hidden field. Some sites
ask for your password as well when modifying sensitive settings (like your password
reminder email, for example), although Id suspect this is there to prevent the
misuse of your abandoned sessions (in an internet cafe for example).
Common Mistake #9: Using components with known vulnerabilities
The title says it all. Id again classify this as more of a maintenance/deployment
issue. Before incorporating new code, do some research, possibly some auditing.
Using code that you got from a random person on GitHub or some forum might be
very convenient, but is not without risk of serious web security vulnerability.
I have seen many instances, for example, where sites got owned (i.e., where an
outsider gains administrative access to a system), not because the programmers
were stupid, but because a 3rd party software remained unpatched for years in
production. This is happening all the time with WordPress plugins for example. If you
think they will not find your hidden phpmyadmin installation, let me introduce you
to dirbuster.
The lesson here is that software development does not end when the application is
deployed. There has to be documentation, tests, and plans on how to maintain and
keep it updated, especially if it contains 3rd party or open source components.
Prevention:
Exercise caution. Beyond obviously using caution when using such
components, do not be a copy-paste coder. Carefully inspect the piece of
code you are about to put into your software, as it might be broken beyond
repair (or in some cases, intentionally malicious).
Stay up-to-date. Make sure you are using the latest versions of everything
that you trust, and have a plan to update them regularly. At least subscribe to
a newsletter of new security vulnerabilities regarding the product.
System integration
In engineering, system integration is defined as the process of bringing
together the component subsystems into one system and ensuring that the
subsystems function together as a system. [1] In information technology, systems
integration[2] is the process of linking together different computing systems and
software applications physically or functionally,[3] to act as a coordinated whole.
The system integrator brings together discrete systems utilizing a variety of
techniques such as computer networking, enterprise application
integration, business process management or manual programming.[4]
A system is an aggregation of subsystems cooperating so that the system is
able to deliver the overarching functionality. System integration involves integrating
existing often disparate systems.
System integration (SI) is also about adding value to the system, capabilities that
are possible because of interactions between subsystems [clarification needed].
In todays connected world, the role of system integration engineers is becoming
more and more important: more and more systems are designed to connect, both
within the system under construction and to systems that are already deployed. [5]
Required skills[edit]
A system integration engineer needs a broad range of skills and is likely to be
defined by a breadth of knowledge rather than a depth of knowledge. These skills
are likely to
include software, systems and enterprise architecture, software and hardware engin
eering, interface protocols, and general problem solving skills. It is likely that the
problems to be solved have not been solved before except in the broadest sense.
They are likely to include new and challenging problems with an input from a broad
range of engineers where the system integration engineer "pulls it all together." [6]
Methods of integration[edit]
Vertical Integration (as opposed to "horizontal") is the process of
integrating subsystems according to their functionality by creating functional
entities also referred to as silos.[7] The benefit of this method is that the integration
is performed quickly and involves only the necessary vendors, therefore, this
method is cheaper in the short term. On the other hand, cost-of-ownership can be
substantially higher than seen in other methods, since in case of new or enhanced
functionality, the only possible way to implement (scale the system) would be by
implementing another silo. Reusing subsystems to create another functionality is
not possible.[8]
Star Integration also known as Spaghetti Integration is a process of
systems integration where each system is interconnected to each of the remaining
subsystems. When observed from the perspective of the subsystem which is being
integrated, the connections are reminiscent of a star, but when the overall diagram
of the system is presented, the connections look like spaghetti, hence the name of
this method. The cost varies because of the interfaces that subsystems are
exporting. In a case where the subsystems are exporting heterogeneous or
proprietary interfaces, the integration cost can substantially rise. Time and costs
needed to integrate the systems increase exponentially when adding additional
subsystems. From the feature perspective, this method often seems preferable, due
to the extreme flexibility of the reuse of functionality. [8]
Horizontal Integration or Enterprise Service Bus (ESB) is an integration
method in which a specialized subsystem is dedicated to communication between
other subsystems. This allows cutting the number of connections (interfaces) to only
one per subsystem which will connect directly to the ESB. The ESB is capable of
translating the interface into another interface. This allows cutting the costs of
integration and provides extreme flexibility. With systems integrated using this
method, it is possible to completely replace one subsystem with another subsystem
which provides similar functionality but exports different interfaces, all this
completely transparent for the rest of the subsystems. The only action required is to
implement the new interface between the ESB and the new subsystem. [8]
The horizontal scheme can be misleading, however, if it is thought that the cost of
intermediate data transformation or the cost of shifting responsibility over business
logic can be avoided.[8]
A common data format is an integration method to avoid every adapter
having to convert data to/from every other applications' formats,Enterprise
Network management