Training
Featured CourseView All Courses
Get a free hour of SANS training

Experience SANS training through course previews.

Learn More
Learning Paths
FeaturedView all Focus Areas
Cloud Security Training
Can't find what you are looking for?

Let us help.

Contact us
Resources
SANS Community Benefits

Connect, learn, and share with other cybersecurity professionals

CISO Network

Engage, challenge, and network with fellow CISOs in this exclusive community of security leaders

Join the SANS Community

Become a member for instant access to our free resources.

Sign Up
For Organizations
Public Sector

Mission-focused cybersecurity training for government, defense, and education

Partnerships

Explore industry-specific programming and customized training solutions

Sponsorship Opportunities

Sponsor a SANS event or research paper

Interested in developing a training plan to fit your organization’s needs?

We're here to help.

Contact Us
Talk with an expert
Talk with an expert

Top 25 Series - Rank 6 - Reliance on Untrusted Inputs in a Security Decision

Authored byFrank Kim
Frank Kim

During a code review I came across code that looked like this:

// for testing only
String testId = request.getParameter("secretId");
if (testId != null && !testId.equals(""))
id = testId;
else
id = codeToLookupTheRealId();

This code allows a malicious user to perform an access control bypass attack by simply supplying the "secretId" parameter in the request. As you can tell from the "for testing only" comment, this code was accidentally left in the system by a careless developer who created it for convenience purposes during testing. Normally, the value of the "id", when properly looked up, prevents unauthorized access to data in other accounts. Here though, relying on untrusted data from the request allows the attacker to completely bypass the access control check. This is the essence of CWE-807 [1].

Historically PHP also suffered from the same issue. In the past, when enabled, PHP's <a href="http://php.net/manual/en/security.globals.php">register_globals</a> directive [2] set all GET, POST, Cookie, Server, and environment variables as global variables. This led to numerous security issues and eventually resulted in register_globals being disabled by default in PHP 4.2.0, deprecated in PHP 5.3.0, and finally removed in PHP 6.0.0.

Make sure that you never rely on untrusted inputs to make a security decision and always perform access control checks on the server side.

  1. http://cwe.mitre.org/top25/#CW...ht
  2. tp://php.net/manual/en/security.globals.php

Meet the expert

Frank Kim
Frank Kim

Frank Kim

Fellow

Frank Kim is the Founder of ThinkSec, a security consulting and CISO advisory firm. He leads the Cybersecurity Leadership and Cloud Security curricula at SANS, as well as authors and instructs multiple SANS courses.

Read more about Frank Kim
SANS Institute | Top 25 Series - Rank 6 - Reliance on Untrusted Inputs in a Security Decision | SANS Institute