LII:Web Application Security Guide/Truncation attacks, trimming attacks - Revision history

Shawndouglas: Added further reading

2016-08-10T22:42:00Z

Added further reading

← Older revision		Revision as of 22:42, 10 August 2016
Line 6:		Line 6:
	===To prevent this type of attack===		===To prevent this type of attack===
	* Avoid truncating input. Treat overlong input as an error instead.		* Avoid truncating input. Treat overlong input as an error instead.
	* If truncation is necessary, ensure to check the value after truncation and use only the truncated value		* If truncation is necessary, ensure to check the value after truncation and use only the truncated value.
	* Make sure trimming does not occur or checks are done consistently		* Make sure trimming does not occur or checks are done consistently.
	* Introduce length checks		* Introduce length checks.
	** ~~care~~ about different lengths due to encoding		** Care about different lengths due to encoding.
	* Make sure SQL treats truncated queries as errors by setting an appropriate <tt>SQL MODE</tt>		* Make sure SQL treats truncated queries as errors by setting an appropriate <tt>SQL MODE</tt>.

	===Rationale===		===Rationale===
	Avoiding truncation makes sure no issues can arise. If truncation is applied, performing all necessary checks after the truncation and using only the truncated value is equivalent to receiving the value in truncated condition. The same rules apply for trimming. Length checks prevent unexpected truncation due to length limits. Encoding needs to be taken into account because the byte-lengths and character-lengths of a UTF-8 string may be different. Setting the SQL MODE so that truncation causes errors ensures that truncation cannot be abused to modify queries. However, the resulting errors can still cause queries to fail unexpectedly, which should be handled in a secure manner.		Avoiding truncation makes sure no issues can arise. If truncation is applied, performing all necessary checks after the truncation and using only the truncated value is equivalent to receiving the value in truncated condition. The same rules apply for trimming. Length checks prevent unexpected truncation due to length limits. Encoding needs to be taken into account because the byte-lengths and character-lengths of a UTF-8 string may be different. Setting the SQL MODE so that truncation causes errors ensures that truncation cannot be abused to modify queries. However, the resulting errors can still cause queries to fail unexpectedly, which should be handled in a secure manner.

			==Further reading==
			* [[wikipedia:Data truncation\|Data truncation]]

	==Notes==		==Notes==
	The original source for this page is [https://en.wikibooks.org/wiki/Web_Application_Security_Guide/Truncation_attacks,_trimming_attacks the associated Wikibooks article] and is shared here under the [https://creativecommons.org/licenses/by-sa/3.0/ CC BY-SA 3.0] license.		The original source for this page is [https://en.wikibooks.org/wiki/Web_Application_Security_Guide/Truncation_attacks,_trimming_attacks the associated Wikibooks article] and is shared here under the [https://creativecommons.org/licenses/by-sa/3.0/ CC BY-SA 3.0] license.

Shawndouglas: /* Session fixation */ Title

2016-08-10T21:15:57Z

Session fixation: Title

← Older revision		Revision as of 21:15, 10 August 2016
Line 1:		Line 1:
	{{TOC right}}		{{TOC right}}
	==~~Session fixation~~==		==Truncation attacks, trimming attacks==
	Truncating input can be problematic if the truncation affects comparisons (e.g. checking users against a blacklist before truncation, and then truncating the name to perform the login). SQL queries can be truncated if they exceed a certain length. This can be used to execute a query with significantly different meaning (e.g. cutting of a part of a <code>WHERE</code> clause).		Truncating input can be problematic if the truncation affects comparisons (e.g. checking users against a blacklist before truncation, and then truncating the name to perform the login). SQL queries can be truncated if they exceed a certain length. This can be used to execute a query with significantly different meaning (e.g. cutting of a part of a <code>WHERE</code> clause).
	Strings can also be automatically trimmed (leading/trailing whitespace removed), leading to the same vulnerabilities (e.g. checking the input "<tt>eviluser␣</tt>" against the blacklist, then logging in "<tt>eviluser</tt>"). SQL may do such trimming automatically.		Strings can also be automatically trimmed (leading/trailing whitespace removed), leading to the same vulnerabilities (e.g. checking the input "<tt>eviluser␣</tt>" against the blacklist, then logging in "<tt>eviluser</tt>"). SQL may do such trimming automatically.

Shawndouglas: Created as needed.

2016-08-10T21:14:35Z

Created as needed.

New page

{{TOC right}}
==Session fixation==
Truncating input can be problematic if the truncation affects comparisons (e.g. checking users against a blacklist before truncation, and then truncating the name to perform the login). SQL queries can be truncated if they exceed a certain length. This can be used to execute a query with significantly different meaning (e.g. cutting of a part of a <code>WHERE</code> clause).
Strings can also be automatically trimmed (leading/trailing whitespace removed), leading to the same vulnerabilities (e.g. checking the input "<tt>eviluser␣</tt>" against the blacklist, then logging in "<tt>eviluser</tt>"). SQL may do such trimming automatically.

===To prevent this type of attack===
* Avoid truncating input. Treat overlong input as an error instead.
* If truncation is necessary, ensure to check the value after truncation and use only the truncated value
* Make sure trimming does not occur or checks are done consistently
* Introduce length checks
** care about different lengths due to encoding
* Make sure SQL treats truncated queries as errors by setting an appropriate <tt>SQL MODE</tt>

===Rationale===
Avoiding truncation makes sure no issues can arise. If truncation is applied, performing all necessary checks after the truncation and using only the truncated value is equivalent to receiving the value in truncated condition. The same rules apply for trimming. Length checks prevent unexpected truncation due to length limits. Encoding needs to be taken into account because the byte-lengths and character-lengths of a UTF-8 string may be different. Setting the SQL MODE so that truncation causes errors ensures that truncation cannot be abused to modify queries. However, the resulting errors can still cause queries to fail unexpectedly, which should be handled in a secure manner.

==Notes==
The original source for this page is [https://en.wikibooks.org/wiki/Web_Application_Security_Guide/Truncation_attacks,_trimming_attacks the associated Wikibooks article] and is shared here under the [https://creativecommons.org/licenses/by-sa/3.0/ CC BY-SA 3.0] license.