You can never, ever trust anything that comes from the client,
because the client can send whatever data it wants. It can insert fake headers, extra
parameters, malformed query strings, or whatever it wants. Here is a short list of the
pieces of data that cannot be trusted. This is not a complete list, but it should get you
thinking.*
??? Form parameters (query string and POST data): the most common mistake
made in this area is trusting form parameters provided in an HTTPrequest. We
discuss this later in the chapter.
??? Cookies (however, we will see an exception later).
??? Referer?? header, which contains the URI of the page that the current page was
linked from. It was included with the intent of helping webmasters track down broken
links. Using it for authentication or security purposes is completely backward.
??? User-Agent header, which purportedly identifies the name of the client software
that is accessing the page. Like Referer, this is primarily useful for log analysis
and should never be used for security purposes.
As an example, we can examine poor security design from another platform. PHP
has a configuration option, register_globals, which can cause some serious security
problems when set. When the option is enabled, variables from the query string are
added to the global namespace automatically. The dull but pedagogical example is
that of user authentication code, which authenticates the user and then shows some
secret information depending on the user??™s level of access:
if(authenticated( )) {
$user_id = get_user_id( );
}
?>
.
Pages:
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204