spoonfork

Tuesday, November 28. 2006

is it the music that connects me and you?

is it because i is black?

damn you samy!

listening to: daft punk - rollin's & scratchin'

Posted by at 19:26 | Comment (1) | Trackbacks (0)

Tuesday, November 21. 2006

more vulnerable codes

quick question: if a security bug has a low likelihood of occuring, has low impact, but high severity if it is able to be executed, is it still a security vulnerability? to be more specific, exploiting it is almost impossible: so, is it worth the resource in fixing it?

let me explain in detail so that you all get a gist of what i'm trying to point out here. but first of all, let's just acknowledged the fact that i've developed software before, and that i am very familiar with software development methodology and lifecycle. and yes, i do know the thought process of a programmer without any security trainings or secure coding education because i've been one before.

the bug that i found has a low likelihood of being exploited. in fact, the probability that an attacker can exploit it almost 0. since this has been proven, it is safe to say that the finding has no effect on security. in fact, the finding should not be in the final report to the client.

the bug exist in a variable that is automatically generated by the asp.net framework, much like php's $_POST, $_REQUEST or $_GET global variables, but not quite. this variable contains values that are pertinent to the requested page - i.e. the back-end application will take it, process it and display them in a nice html page. the values are initially retrieved from database or soap servers. this variable, and its values are never re-inserted in the database or sent back to the soap servers - they are non-persistent.

so, as an attacker, even if i manipulate the values of the magic asp.net variable there is nothing much that i can do. this has been the basis of arguments between me and the vendor - they refuse to adopt one of the best practices in secure coding - "filter inputs that are sent to and from the application" simply because the values are non persistent. fine.

wearing my programmer hat (a fresh graduate without exposure to secure coding practices), i know a gazillion ways how this magic variable can be abused. assuming i have another script that processes the same information - i don't have to repeatedly retrieve the values from the database.i just have to use that magic variable! save a few lines of codes and i can play world of warcraft later. even worse: what if the database needs updating? fine i just put them back into the database!

so, you are right in saying that no fixing needs to be done, but you're wrong in assuming that. programmers are lazy, and the lazy ones produce insecure codes. your application is complex, and complex application contains complex codes, and complex codes are insecure.

Posted by at 17:04 | Comments (3) | Trackbacks (0)

Tag(s): geek stuff, rant, utensils

Saturday, November 11. 2006

switching ASP.NET from .NET 2.0 to .NET 1.1

apperantly, this is a lot simpler than it seems. after scouring the net for answers, all that i have to do is the following:


c:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_regiis.exe -i

this will register the version of the .Net framework with IIS. next,


c:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_regiis.exe -s WC3SVC\1\ROOT\MyWebApp

this command will update the script map for the web application "MyWebApp" to use version 1.1 of the .Net framework. -s will update the script mapping recursively. the "WC3SVC\1\ROOT" is the metabase path for the IIS. if you're running default installation of IIS with the default application pool and nothing fancy, this is usually "WC3SVC\1\ROOT". "MyWebApp" is the folder containing your ASP.NET application in the inetpub\webroot directory.

Once that is done, you need to allow the ASP.NET 1.1 extension in inetmgr, else you'll be getting 404.

listening to: red hot chilli peppers - save the population

Posted by at 10:28 | Comments (0) | Trackbacks (0)

Tag(s): geek stuff

Friday, November 10. 2006

you're so vain, you probably think this blog post is about you

doncha?

so the app (ASP.NET) that i'm auditing does not work with .NET 2.0, and i just don't have the freaking time nor the technical skills to configure IIS 6.0 to run in a different pool where it will use .NET 1.1, and on top of that, MSSQL 2005 doesn't like .NET 2.0, and to top it off, i also can't freaking get .NET 1.1 to install on windows 2003 server (well, of course, .NET 1.1 comes with windows 2003 by default). sighs. so it's back to installing another windows 2003 server on vmware, and hoping the app will work.

and i'm beginning to love auditing ASP.NET app that i am learning to code web apps in asp, hallelujah to me.

last week (for those who care). i hit the big 3 point 0 (oh-oh-oh), and mom and dad celebrated their silver jubilee. it was surreal ehhehehehuahua...

listening to: sheryl crow - run, baby run

Posted by at 14:56 | Comments (4) | Trackbacks (0)

Tag(s): utensils

(Page 1 of 1, totaling 4 entries)

About

This is the personal blog of Mel Mudin (spoonfork). All data and information provided on this site is for informational purposes and on an as-is basis.

This weblog does not represent the thoughts, intentions, plans or strategies of my employers. It is solely my opinion and views as a kambing biri-biri.

Feel free to challenge me, disagree with me, or even tell me that I am a kambing biri-biri wannabee in the comment section of each blog entry.

Quicksearch

Show tagged entries

bush-fetish caption time geek stuff gentoo hitb japan macam-macam malaysia movie music my-milkshake rant spoonfork utensils

Syndicate This Blog

RSS 0.91 feed

RSS 1.0 feed

RSS 2.0 feed

ATOM 0.3 feed

ATOM 1.0 feed

RSS 2.0 Comments

Entries from November 2006