SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals

Experience SANS training through course previews.
Learn MoreLet us help.
Contact usBecome a member for instant access to our free resources.
Sign UpWe're here to help.
Contact UsDuring a code review I came across code that looked like this:
// for testing only
String testId = request.getParameter("secretId");
if (testId != null && !testId.equals(""))
id = testId;
else
id = codeToLookupTheRealId();
This code allows a malicious user to perform an access control bypass attack by simply supplying the "secretId" parameter in the request. As you can tell from the "for testing only" comment, this code was accidentally left in the system by a careless developer who created it for convenience purposes during testing. Normally, the value of the "id", when properly looked up, prevents unauthorized access to data in other accounts. Here though, relying on untrusted data from the request allows the attacker to completely bypass the access control check. This is the essence of CWE-807 [1].
Historically PHP also suffered from the same issue. In the past, when enabled, PHP's <a href="http://php.net/manual/en/security.globals.php">register_globals</a> directive [2] set all GET, POST, Cookie, Server, and environment variables as global variables. This led to numerous security issues and eventually resulted in register_globals being disabled by default in PHP 4.2.0, deprecated in PHP 5.3.0, and finally removed in PHP 6.0.0.
Make sure that you never rely on untrusted inputs to make a security decision and always perform access control checks on the server side.
Frank Kim is the Founder of ThinkSec, a security consulting and CISO advisory firm. He leads the Cybersecurity Leadership and Cloud Security curricula at SANS, as well as authors and instructs multiple SANS courses.
Read more about Frank Kim