Why you are always told not to trust the user

My last post was about six months ago, so here is one just to remind I am not dead yet.

First lets begin with a short story. Once I found a link posted as someone's Gtalk status (http://ebooks.bits-pilani.ac.in). It is a service that allows you to browse whole collection of books of 24x7books.com. I assume this is yet another service almost no one at the concerned institution would be using. What I found was instead of sanitizing the user input on the server-side, it uses JavaScript to check the input string on client-side. I just do not understand if you are taking the pain to check the input, why not do it correctly. So as you might have guessed correctly, this site is prone to SQL injection attack. I guess the organization does not pay much attention to it so it has not been corrected yet (even after 4 months of reporting it). To check it you just have to disable JavaScript in your browser and use the super-n00b always true statement i.e. just use ' OR '1'='1  as the username and password.] and you can read thousands of books free [have not browsed the site much but I think almost all popular books are available as full versions unlike Google books.] . Certain more things can be done for e.g. using a much more creative query and some trial-and-error over field-names we can get a reset password link for a particular user whose user-id is known using the forgot password feature given.


UPDATE (6 Nov 2011): Seems they have updated their code(or someone dropped the table :P ) so the noob query string would not allow you to login. To view their query string just disable javascript and use ' /-- as the username and leave the password field blank (yet another flaw, showing the user stack trace and codes instead of a useful error page.)
Here is the query string they are using for authentication -

"select *from details where email='" + TxtEmail.Text.Trim() + "' and password='" + TxtPassword.Text.Trim() + "'"
But please do not try anything else (like DROP table :P)

Some xkcd fun :) (http://xkcd.com/327/)

Now the point is sanitizing user input is no rocket science and everyone knows that SQL injection is the MOST commonly exploited vulnerability. If ever there would be a web security 101 course anywhere, it might even feature in its introductory class. Despite this, reports of apps being hacked due to this keeps coming up. I believe the problem is we are never told about these things in the beginning. I remember we had a subject Java & Web Technology where we had to make a web application as our assignment. Most of the people focused on the design and usability [Ok including me] and made a shiny little PHP+MySQL app and nobody bothered to tell us about security and all those stuff.

So, where can you start learning about web security issues ?

1. http://code.google.com/edu/security/index.html  Some great videos here.
2. A course on the same page uses this http://google-gruyere.appspot.com/ A live web application where you have to actually find and exploit vulnerabilities. Very Cool stuff :)
3. http://dev.mysql.com/tech-resources/articles/guide-to-php-security-ch3.pdf  Some text about how to validate input and prevent SQL injection.

....will continue on this topic in later posts.