Recently, we are witnessing a trend of old vulnerabilities making a comeback. Some examples are the old TRACE XSS trick reappearing in many web applications, HTTP verb tampering exploits in the major web platforms and, of course, the recent SQL injection attacks that recycle a well known (but deadly) injection technique.
I see many replies to posts about those "oldies" that dismiss their importance and generally regard them as another (lame) way to get some spotlight for the authors. However, I believe that reappearing vulnerabilities should receive careful attention since they might indicate some inherent security misconception that, if not attended, will reappear time and again through different exploits. Actually, vulnerability comebacks can be our chance to test ourselves and make sure we really solved the disease and did not simply make its symptoms disappear.
For example, we can learn much from the verb tampering vulnerabilities that were reported in webappsec. This example illustrates the risk in relying solely on a black list approach to secure a web application. Generally, if one bases his web application security on black list rules he is left unprotected from those attacks that he just did not think about. In the verb tampering context, if one configures his server to authenticate GET requests to admin pages it does not mean that the server will do the same for HEAD requests to the same pages. This, of course, reopens the everlasting debate between the black list supporters and the white list supporters (personally I believe that neither one can work without the other). Nevertheless, this comeback could be an alarm call for us indicating that the problem IS NOT solved and that we must reopen this debate and reevaluate our stand.
Bottom line; pay respect to the elderly. You never known when they will be back to kick your *ss.
- Eldad
I see many replies to posts about those "oldies" that dismiss their importance and generally regard them as another (lame) way to get some spotlight for the authors. However, I believe that reappearing vulnerabilities should receive careful attention since they might indicate some inherent security misconception that, if not attended, will reappear time and again through different exploits. Actually, vulnerability comebacks can be our chance to test ourselves and make sure we really solved the disease and did not simply make its symptoms disappear.
For example, we can learn much from the verb tampering vulnerabilities that were reported in webappsec. This example illustrates the risk in relying solely on a black list approach to secure a web application. Generally, if one bases his web application security on black list rules he is left unprotected from those attacks that he just did not think about. In the verb tampering context, if one configures his server to authenticate GET requests to admin pages it does not mean that the server will do the same for HEAD requests to the same pages. This, of course, reopens the everlasting debate between the black list supporters and the white list supporters (personally I believe that neither one can work without the other). Nevertheless, this comeback could be an alarm call for us indicating that the problem IS NOT solved and that we must reopen this debate and reevaluate our stand.
Bottom line; pay respect to the elderly. You never known when they will be back to kick your *ss.
- Eldad
Leave a comment