A recent item in the news (http://www.thedailywtf.com/forums/65974/ShowPost.aspx) reminds us of two important Web application security tips:
1. Don’t fail into an insecure mode by default
2. Be careful running automated spidering software on your applications.
This story took place during development of a Web content management application. One morning the dev team came in to find that all content had been erased. An investigation of the incident linked blame for the deletions on an IP address associated with one of Google’s Web spidering servers. Logs revealed that the spidering software was indexing the site when it came upon a link for content editing. Like a good spider, it followed the link.
Application access controls should have required authentication at this point, effectively stopping the spider from anonymously changing anything on the site. This particiular application assigned a cookie parameter named “isLoggedOn” with a default value of “false”. Once a user authenticated, the app changed this value to “true”. Unfortunately, the application only denied access if the value was set to “false”. Any other value, or the absence of a value altogether, would permit the requested operation.
As you may have guessed, the Google spider was able to successfully enter page editing mode because it didn’t accept the original cookie from the application. Thus is passed the badly written authorization test. Once in edit mode it dutifully continued following all links, including the “Delete Page” option. Any curious hacker could have done the same thing.
Obviously the problem could have been prevented by better programming. Applications should operate by authorizing only requests that are accompanied with legitimate authentication credentials (like a unique session ID) and not by the absence of a value.
The story also acts as a good reminder that spidering a web application can have unintended consequences. If you are using automated vulnerability scanning software that spiders content during testing, it can cause the same negative impacts. This is why Security PS assessments include time for us to manually walk through applications and identify issues like a link that logs out of the application or deletes a user account. These links can then usually be placed in an exception list so they are avoided by any subsequent spidering.
Which is nice, because it allows you to spend time doing something more exciting than running to grab the latest backup tape for your server.