Bug Vanquisher

18 September 2007

Which came first, the phoenix or the flame?

Filed under: Dev inside! — Tanveer Badar @ 10:50 AM

One thing I was thinking last week was do we test our applications against configuration mishaps, as I frequently do during my wanderings in QAland?

I mean, do we verify that the configuration we are reading from app.config/web.config are indeed sane enough to work for us? What if a critical part gets missing from the configuration file, shall the application crash? What if someone intentionally rewrites some or all of them, they are one source of input the application, aren’t they?

Just consider the sorts of attacks which can happen with this data store.

Quoting an example from the code I wrote last week,

AppSettingsReader ConfigReader = new AppSettingsReader();
int a = 0 , b = 0;
try {
a = Math.Abs( int.Parse( ConfigReader.GetValue( “num1” , typeof( int ) ).ToString( ) ) ); }
catch { a = 3; }
try {
b = Math.Abs( int.Parse( ConfigReader.GetValue( “num2” , typeof( int ) ).ToString( ) ) ); }
catch { a = 10; }
mintimeout = Math.Min( a , b );
maxtimeout = Math.Max ( a , b );
System.Thread.Sleep( ( new Random( ) ).Next( mintimeout * 1000 , maxtimeout * 1000 ) );

Notice how I handle the missing key problem from <appsettings> section. Also, consider the sanity check that mintimeout must really be <= maxtimeout because Random.Next throws an exception otherwise. Both values are in second. I, however, do not limit the sleep interval, so anyone could easily come along and set <add key=”num1″ value=”86400″/> and <add key=”num2″ value=”86400″/> to unleash disaster.

Having confessed these concerns to some of the very knowledgeable friends, I got one reply immediately. “Set permissions on web.config so that only a valid user can ‘modify’ it and IIS (and rest of the world maybe) can ‘read’ it. And… use properties!”

Yes, that is the best solution. In.. the ideal world!

But my question was more like this: my example demonstrates that code has a default configuration embedded which cannot be moved out to external store because of the problem already faced with original source. Isn’t it a chicken and egg problem?

And, not even many developers are aware of securing their application, let alone the users. Everyone at my company (and 95% employees are developers, well educated too) logs in using administrative accounts, only I take the trouble of ‘run as’ 100 times a day for LOB applications we use. So how can we expect anyone to recognize the symptoms in the first place, let alone cure the disease?

1 Comment »

  1. […] Configuration data: This can happen anytime. Don’t tell me you don’t keep a default copy of your required, must-have, 24/7 available, configuration […]

    Pingback by Moving the Ground from Underneath Your Feet « Bug Vanquisher — 24 May 2008 @ 7:09 PM

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Blog at WordPress.com.

%d bloggers like this: