Difference between revisions of "LII:Web Application Security Guide/Truncation attacks, trimming attacks"
Shawndouglas (talk | contribs) m (→Session fixation: Title) |
Shawndouglas (talk | contribs) m (Added further reading) |
||
Line 6: | Line 6: | ||
===To prevent this type of attack=== | ===To prevent this type of attack=== | ||
* Avoid truncating input. Treat overlong input as an error instead. | * Avoid truncating input. Treat overlong input as an error instead. | ||
* If truncation is necessary, ensure to check the value after truncation and use only the truncated value | * If truncation is necessary, ensure to check the value after truncation and use only the truncated value. | ||
* Make sure trimming does not occur or checks are done consistently | * Make sure trimming does not occur or checks are done consistently. | ||
* Introduce length checks | * Introduce length checks. | ||
** | ** Care about different lengths due to encoding. | ||
* Make sure SQL treats truncated queries as errors by setting an appropriate <tt>SQL MODE</tt> | * Make sure SQL treats truncated queries as errors by setting an appropriate <tt>SQL MODE</tt>. | ||
===Rationale=== | ===Rationale=== | ||
Avoiding truncation makes sure no issues can arise. If truncation is applied, performing all necessary checks after the truncation and using only the truncated value is equivalent to receiving the value in truncated condition. The same rules apply for trimming. Length checks prevent unexpected truncation due to length limits. Encoding needs to be taken into account because the byte-lengths and character-lengths of a UTF-8 string may be different. Setting the SQL MODE so that truncation causes errors ensures that truncation cannot be abused to modify queries. However, the resulting errors can still cause queries to fail unexpectedly, which should be handled in a secure manner. | Avoiding truncation makes sure no issues can arise. If truncation is applied, performing all necessary checks after the truncation and using only the truncated value is equivalent to receiving the value in truncated condition. The same rules apply for trimming. Length checks prevent unexpected truncation due to length limits. Encoding needs to be taken into account because the byte-lengths and character-lengths of a UTF-8 string may be different. Setting the SQL MODE so that truncation causes errors ensures that truncation cannot be abused to modify queries. However, the resulting errors can still cause queries to fail unexpectedly, which should be handled in a secure manner. | ||
==Further reading== | |||
* [[wikipedia:Data truncation|Data truncation]] | |||
==Notes== | ==Notes== | ||
The original source for this page is [https://en.wikibooks.org/wiki/Web_Application_Security_Guide/Truncation_attacks,_trimming_attacks the associated Wikibooks article] and is shared here under the [https://creativecommons.org/licenses/by-sa/3.0/ CC BY-SA 3.0] license. | The original source for this page is [https://en.wikibooks.org/wiki/Web_Application_Security_Guide/Truncation_attacks,_trimming_attacks the associated Wikibooks article] and is shared here under the [https://creativecommons.org/licenses/by-sa/3.0/ CC BY-SA 3.0] license. |
Latest revision as of 22:42, 10 August 2016
Truncation attacks, trimming attacks
Truncating input can be problematic if the truncation affects comparisons (e.g. checking users against a blacklist before truncation, and then truncating the name to perform the login). SQL queries can be truncated if they exceed a certain length. This can be used to execute a query with significantly different meaning (e.g. cutting of a part of a WHERE
clause).
Strings can also be automatically trimmed (leading/trailing whitespace removed), leading to the same vulnerabilities (e.g. checking the input "eviluser␣" against the blacklist, then logging in "eviluser"). SQL may do such trimming automatically.
To prevent this type of attack
- Avoid truncating input. Treat overlong input as an error instead.
- If truncation is necessary, ensure to check the value after truncation and use only the truncated value.
- Make sure trimming does not occur or checks are done consistently.
- Introduce length checks.
- Care about different lengths due to encoding.
- Make sure SQL treats truncated queries as errors by setting an appropriate SQL MODE.
Rationale
Avoiding truncation makes sure no issues can arise. If truncation is applied, performing all necessary checks after the truncation and using only the truncated value is equivalent to receiving the value in truncated condition. The same rules apply for trimming. Length checks prevent unexpected truncation due to length limits. Encoding needs to be taken into account because the byte-lengths and character-lengths of a UTF-8 string may be different. Setting the SQL MODE so that truncation causes errors ensures that truncation cannot be abused to modify queries. However, the resulting errors can still cause queries to fail unexpectedly, which should be handled in a secure manner.
Further reading
Notes
The original source for this page is the associated Wikibooks article and is shared here under the CC BY-SA 3.0 license.