Application Issues | 131the environment. You can never, ever trust anything that comes from the client,
because the client can send whatever data it wants. It can insert fake headers, extra
parameters, malformed query strings, or whatever it wants. Here is a short list of the
pieces of data that cannot be trusted. This is not a complete list, but it should get you
thinking.*
- Form parameters (query string and POST data): the most common mistake
made in this area is trusting form parameters provided in an HTT Prequest. We
discuss this later in the chapter. - Cookies (however, we will see an exception later).
- Referer†header, which contains the URI of the page that the current page was
linked from. It was included with the intent of helping webmasters track down bro-
ken links. Using it for authentication or security purposes is completely backward. - User-Agent header, which purportedly identifies the name of the client software
that is accessing the page. Like Referer, this is primarily useful for log analysis
and should never be used for security purposes.
As an example, we can examine poor security design from another platform. PHP
has a configuration option,register_globals, which can cause some serious security
problems when set. When the option is enabled, variables from the query string are
added to the global namespace automatically. The dull but pedagogical example is
that of user authentication code, which authenticates the user and then shows some
secret information depending on the user’s level of access:
<?php
if(authenticated( )) {
$user_id = get_user_id( );
}
?>...<?php
// Show the secret if the user is authenticated
if($user_id) {
echo("Soylent Green is people!");
}
?>Withregister_globalsenabled, a malicious user can just accessindex.php?user_id=4
and the$user_idvariable will be set to 4 from the query string. Since we presume the
authenticated( )function returnsfalse(as the user is not a legitimate user), theif
- Of course, these only represent vulnerable parts at the HTT Pprotocol level. Later, we will see how vulnera-
bilities can expose themselves at higher levels. Vulnerabilities at lower levels, such as TC Psession hijacking,
are usually not the developer’s concern.
† Yes, this is a misspelling, but it is too deeply entrenched in HTT Phistory to change now. Consider it a lesson
to protocol designers.