Geek Answers Handbook

Search for real web service security violation stories

I'm a full-time software developer, but on the side I teach a university course in web services. Now I turn to security, and I was wondering if all of you have any security breaches that you could talk about (details were hidden as needed) that I could share with my students. Real life stories are much more meaningful than scripts ...

+4
source share
3 answers

Here is a story from me:

I was once a customer of an online audiobook store. Besides authenticating myself with a username and password, I also needed my browser to accept cookies. It was unusual. A cookie is probably needed to store the session ID.

But I got confused as the session identifier was also passed in the url and I did not see the reason why there is a need for cookies. So I looked into the cookie jar to find out what important information should be stored in cookies.

In addition to the cookie for the session identifier, there was another cookie with the name customer_id , which was obviously assigned to identify me by my client number. I thought, “C'mon, no one can be so stupid!” I changed the value for fun by changing one digit of a number (e.g. from 12345 to 12346) to find out what will happen.

Now guess what: now I signed up as a different user without any additional authentication request, just by changing the cookie! The customer_id cookie value was clearly not only for identification (who am I?), But for authentication (am I really the one I pretend to be?)!

The moral of this story: Always separate identity from authentication.

+4
source

Perhaps this is not what you had in mind, since there was no compromise of information, but it is still a web security issue.

http://www.crime-research.org/library/grcdos.pdf

This is a classic story of how an Internet guru, Steve Gibson's website, was attacked by a botnet. This is a very interesting story and will undoubtedly keep the class busy. I know that this story interested me in web security.

I could not find the original post of this pdf on Steve Gibson's website (grc.com), but I had a copy on my computer and I could find it and find it in this place.

I also recommend going to grc.com and listening to "Safety Now!". Podcasts:

http://www.grc.com/securitynow.htm

You will almost certainly hear some stories in some of these podcasts.

Hope this helps!

+1
source

The European Identity Conference (EIC 2009) in Munich will present a case study on SOA security that will contain the information you are looking for.

+1
source

More articles:


All Articles