7. Exploits of a Mom
// query
INSERT INTO Students VALUES ( '$Name' )
// input
Robert'); DROP TABLE Students; --
// result
INSERT INTO Students VALUES ( 'Robert'
); DROP TABLE Students; --' )
source: https://xkcd.com/327
WWW.DESIGNVELOPER.COM
8. SQL Injection - One more example
// query
SELECT * FROM users
WHERE username='peter’
AND (password= ('$PWD'))
// input
' OR '1'='1’
// result
SELECT * FROM users
WHERE username='peter' AND
(password='' OR '1'='1')
WWW.DESIGNVELOPER.COM
14. CHECK to the rescue
https://atmospherejs.com/meteor/check
Check whether a value matches a pattern
$ meteor add check
check(slug, String);
ERROR: Expected String, got
Object
WWW.DESIGNVELOPER.COM
This topic will require a little bit of your familiarity with Meteor & MongoDB
At first: please don’t get me wrong ! I don’t say that Meteor apps is insecure. Although Meteor it self has a package called INSECURE, but it’s a different story right ?
In fact, Meteor is quite good at handling security if us developers pay enought attention to it
In the world of SQL, queries use STRINGs as the control mechanism.
So SQL INJECTION will be the technique that the attackers use to take advantages of this mechanism.
What does that mean ? Well, let’s get to the examples !
Classic example of SQL Injection
To summary this example: a mom is sending her son to a new school. Of course he has to be registered to the school computer system right ?
So the query to do that is INSERT INTO ...
What if the son has some weird name like Robert quote close parentheses ...
So in the result, there’s a DROP TABLE Students query comes along, which will remove the whole Students table data.
Let’s say the query to get one user data with usename=‘peter’ is this: SELECT * FROM ... and the password is the input
What if the input for password is: ' OR '1'='1
We get the result query here, which will always be succeed because the condition: (password='' OR '1'='1') is always true !
So this way, the attacker can get any arbitrary user data, given the username
That’s basically how SQL Injection works
Instead of using STRINGs as the control mechanism, NOSQL INJECTION queries use OBJECTs as the control mechanism
What does that mean ? Let’s dive in to the demo
- Here’s the good news: In contrast with the problems, the solutions are quite easy
The solution is simple: we have to MAKE ASSERTIONS ON USER INPUT DATA
You know that Meteor uses DDP (Distributed Transfer Protocol) which can transfer many types of data: String, Number, Array, Object ...
If you know exactly what is the data user passed in, we can deal with them safely
But how can we know exactly what is the data user passed in
- In the scope of Meteor, there’s a useful package called CHECK
- We are going to use this check package for every method / publication function that we need to validate user input
There’re cases that you have so many methods & publication functions that you don’t know if they’re CHECKED or not ?
Well, we also have a package called check-checker here, which helps ... and return a warning if there’s an unchecked method
So that’s it ! I hope my presentation gives you a better look on security prospective so that you can make a BETTER and SAFER app.