Monday, August 20, 2007

Partners and Security, Part 3B

In the words of Homer Simpson, "DOH!"

I overlooked one of the best and easiest sanity checks for web apps-
if there are forms on the site, especially ones with menu selections, see if your inputs are passed to the address bar when you advance through the site. If they are, you may be able to check for simple input validation problems.

NOTE- Passing info to the URL is not necessarily a bad thing, it just depends on what is passed and if it needs to be validated. For example, it is great that Google Maps lets you throw addresses into a URL to get the maps you want, but a bank that lets you see more information than you should is a problem.

I once found a website where I could select the number of records to display when retrieving a report- I had the choice of five, ten, or twenty records per page in a drop-down menu. When I chose the number and submitted the form, the choice appeared in a string in the resulting URL. Unfortunately, I could simply go to the address bar and change the number to anything I wanted and get the appropriate results- in other words, they didn't validate input. Without going any deeper, I knew that this app was questionable. I reported it to my employer and the company with the problem site. My employer understood immediately, the other company took some effort.

We are severely limited in what we can do to check other's web sites and applications, this is a simple test that can expose fundamental problems without "hacking" the application.