Security Vulnerability: Unbounded Sizes

If the size of the client data is unbounded and unchecked, attackers can send as much data as they want. This could be a security issue if there exists an as-yet-unknown buffer overrun in the database code called when the SQL query is invoked. On closer examination, an attacker can easily bypass the maximum username and password size restrictions imposed by the previous client HTML form code, which restricts both fields to 32 characters, simply by not using the client code. Instead, attackers write their own client code in, for example, Perl, or just use a Telnet client.

The following is such an example, which sends a valid HTML form to Logon.asp but sets the password and username to be 32,000 letter "A"s.

use HTTP::Request::Common qw(POST GET);
use LWP::UserAgent;

$ua = LWP::UserAgent->new();
$req = POST 'http://www.northwindtraders.com/Logon.asp',
         [ pwd => 'A' x 32000,
           name => 'A' x 32000,
         ];
$res = $ua->request($req);

Do not rely on client-side HTML security checks—in this case, by thinking that the username and password lengths are restricted to 32 characters—because an attacker can always bypass such controls by bypassing the client altogether.

Copyright © 2005 Microsoft Corporation.
All rights reserved.