[WEB SECURITY] The Möbius Defense, the end of Defense in Depth

Pete Herzog lists at isecom.org
Wed Jul 8 19:10:37 EDT 2009

Hi Walt,

> But you are making a logical but bad assumption on the part of the
> relationship between the web application and the database.  If the
> developers have done their job right, and it is our job to make
> certain of that, then the web application only shows the data that is
> owned by the account in question, and any sql injection attacks will
> fail because of the following defenses:

There was no assumption. It was a theoretical scenario outlined with 
Playmobile and wooden blocks. The question was about controls and DiD. 
  If I understand correctly, you are now including additional controls 
into this toy story to make a completely different point, one of 
responsible design, which you are saying proves that DiD works. If I 
had known this would be about making up more controls to put into the 
theoretical scenario then I could also make up a theoretical attack 
which could also break those controls, no?

> WAF - which really is good at detecting and preventing that sort of thing
> Web application input validation -  there are a variety of frameworks
> which will prevent injection attacks
> Database only executing predefined queries through stored procedures
> on behalf of the specific credentialed user, returning only those
> records owned by the user in question.

Okay, very good. Yes. All good things that the database would do if 
properly and securely set up. Furthermore it would also be designed to 
not field queries to other IPs or servers and the processes could be 
jailed and we could build a Faraday cage around it all. Yes, I could 
start listing many more controls which would have dragged a 5 minute 
example in a presentation on for hours and confuse the people for whom 
it was made simple for. I used a simple example to show a simpler 
pretext that the interaction was with the DB and not with layers of 
network equipment. The point was about DiD and how modern networks 
have no perimeter.

> Any half way decent web application will have those components.
> Claiming that the only defense of the database is encryption is
> ignoring stored procedures and a properly defined data architecture
> where data is owned by database accounts and the web application
> doesn't authenticate into the database so much as allow the
> authenticated user controlled access to their data within the
> application.

So if there is any half way decent web application then we can presume 
also that there are also any less than half way decent web 
applications? So the scenario you now agree is not altogether 
impossible but just missing the particular controls you would have 
liked to see. Let me also then presume, based on historical evidence, 
that it's not impossible that privilege escalation could perhaps 
occur. Now I didn't go into all that because of time and really it 
wasn't my point to make this specifically about controls for web 
applications. I think the presentation showed, for simplicity 
purposes, that the web server did not authenticate to the DB server 
which was part of the problem. I seriously doubt I am the only person 
who has ever seen such a scenario. But if I am, please, allow me to 
again reiterate it was a simple scenario to prove a point which was 
NOT about controls for safer web application operation.

> It is not even necessary for the defined accounts to be accounts
> within the database, but LDAP accounts will work just fine if the data
> models and application is built properly.

Okay. But adding an LDAP server would have required additional colored 
blocks which I did not have. Unfortunately my wooden block collection 
is very limited :)

> DiD works, but it requires that no component of the application is
> ever considered trusted.  Your strawman presumes a trust relationship
> which should never exist in a well designed web application.

I never put up any strawman, logically or otherwise, because the 
graphics were not to prove that attacks work but rather how modern 
networks move information to specific interactive points thereby 
forcing systems thought to be layered to the perimeter. The fact that 
anyone would think I had is admittance to misunderstanding the whole 
premise of the presentation. That I used a trust relationship in one 
example is not heresy because it, unfortunately, has existed and 
probably still perpetuates in some networks some places. I also don't 
see how removing the trust relationship from the scenario changes any 
of the facts I presented as to why DiD doesn't work in a networking 

Listen, we're not trying to offend anyone with our research. We just 
want to know why things work and why they don't work. If our research 
makes improvements into how people work with or even think about 
security then it's a very good thing. For the members of this list, if 
this helps your customers to think about assuring their web 
applications have controls for their interactive points then that's a 
very good thing too. We need to have the courage to change the things 
we cannot accept.


Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn

More information about the websecurity mailing list