top of page

Direct Objects!


I have been spending most of my (relatively) free time working on PHP (https://www.til-technology.com/post/it-s-been-a-long-time), and just found a direct object reference vulnerability!


A direct object is the person or thing in a sentence on which an action is performed. Not what I’m talking about, but I did find something I found quite entertaining when I did a search on “direct object”. I found an article (https://www.grammar.com/direct_object) which started off with “The language English is considered one of the easiest languages that exist.”


And it just got better after that. It could be a troll, but I doubt it. I think it’s most likely someone who is not a native English speaker and overestimates their proficiency with the language (http://en.wikipedia.org/wiki/Dunning%E2%80%93Kruger_effect).


(Note for pedants, since I am commenting on the English language: I have been struggling with the inherent biases of the English language for many years, and generally used the phrase “his or her”. More recently, however, I have taken to using “their” as a non-gendered third-person singular pronoun. I find it somewhat inelegant, but preferable to the alternatives I have seen so far.)

Back to programming, though. While I was working on how to edit records, I started with a link to the “edit” page, and passed the id of the record. This works, of course, but results in “id=1” in the URL, which is a classic “Insecure Direct Object Reference” vulnerability. (https://cheatsheetseries.owasp.org/cheatsheets/Insecure_Direct_Object_Reference_Prevention_Cheat_Sheet.html)

While I am “only” working on this code as a learning exercise, and have no expectation of ever making it broadly available, I was rather pleased with myself that I almost immediately recognized the issue and replaced the process with a different approach. In this case, I used POST rather than GET, with the assumption that I would NEVER make this tool available without HTTPS / TLS in any case. (With apologies to any non-coders.)

I was actually about to summarize the reasons for using HTTPS when I suddenly remembered that I had already done so – please see my post on Cryptography (https://www.til-technology.com/post/infosec-basics-what-is-cryptography) for why HTTPS should be used everywhere, even for “unimportant” or “public” information.

Getting back to development work, I am again quite happy with what I am learning from my adventures with PHP, but I think I’m approaching a decision-point. While I’m coding, I sometimes find it easy to forget that my goal is not to “become a coder again”, but rather to improve my understanding of web development.

Also, I am becoming increasingly aware of the fact that I have been using PHP in a “procedural” way, as I would have done if I had been coding many years ago. This has been extremely useful, since it helped me “bridge the gap” and remember what it means to code, but is not really reflective of many current practices, which are based on object-oriented approaches.


Should I continue building my prototype in (procedural) PHP? Or would it be better to start fresh using object-oriented PHP? Or maybe start again with a different language, such as Python (http://en.wikipedia.org/wiki/Python_%28programming_language%29) or Rust (http://en.wikipedia.org/wiki/Rust_%28programming_language%29)? I will need to think about this question over the next little while.

Another thing I’ve been considering as a possibly-useful learning opportunity is to build my app, then run a penetration test on it (https://www.til-technology.com/post/infosec-basics-pen-test). I think this could be a very useful exercise, from both the development and security perspectives. As always, the big issue is time, particularly as I want to continue posting weekly – I was trying to build up a backlog of posts, but I find myself spending time on other work (like coding), and have fallen behind for the moment.


I’ve also been thinking quite a lot about something I once heard: “Programming is an art-form that fights back.” I have been experiencing again the aggravation of poring over code again and again, before finally noticing the missing single-quote, or missing semi-colon, or similar “trivial” issue that can cause such strong emotions in a developer. Sigh.

The next few posts may be relatively brief, but I think I’m building up a good list of ideas for future posts and content. I guess we’ll see! Just keep swimming!

Cheers!

Comentários


bottom of page