Beefy Boxes and Bandwidth Generously Provided by pair Networks
Just another Perl shrine
 
PerlMonks  

comment on

( [id://3333]=superdoc: print w/replies, xml ) Need Help??
The reason to remove fatalsToBrowser is that you know something about security and you are not an idiot. Let me be clear. I am not saying that you are an idiot. I am saying that you have something basic to learn about security. Please learn it from my post and then stop giving dangerously bad advice.

The purpose of fatalsToBrowser is to provide useful debugging information in the browser. This speeds up development. However it means that if someone finds "unexpected behaviour" in your application, they can use your debugging information to get insight into how your application works, and then use that to fine-tune an attack.

For a common example, suppose that you interface with a database. And, as happens depressingly often, you don't quote a field that shows up in an SQL query. You now suffer from the possibility of an SQL injection attack - someone can enter in anything they want and have it become part of your SQL. If they can figure out the right thing, they can get "interesting results". (Such as downloading your credit card data. Or taking over your database server.)

Now obviously this is much easier if they can find out something about the structure of the query that they are breaking. And something about your database. Which is far, far easier if you provide useful debugging information in the browser. See, for instance, http://www.sensepost.com/misc/SQLinsertion.htm (or many other pages on SQL injection at Google) for how an attacker can use debugging information to keep on escalating an attack until they can get anything they want from your database.

Not publically providing debugging information doesn't fix the bug, but it does make it a lot harder to exploit. It often makes the difference between a minor intrusion and a serious problem.

So how do you do this with minimal impact on your ability to debug? The answer is simple. You make fatalsToBrowser be something that is readily flipped in your code. Preferably either in a configuration variable that differs between production and development, or as something that your standard build process does. That way you get all of the benefits while developing or whenever you need it in production, but without making an attacker's life any easier than it has to be.


In reply to Re: Forgetting your good education by Anonymous Monk
in thread Writing a perl quiz. Need advice. by DigitalKitty

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post; it's "PerlMonks-approved HTML":



  • Are you posting in the right place? Check out Where do I post X? to know for sure.
  • Posts may use any of the Perl Monks Approved HTML tags. Currently these include the following:
    <code> <a> <b> <big> <blockquote> <br /> <dd> <dl> <dt> <em> <font> <h1> <h2> <h3> <h4> <h5> <h6> <hr /> <i> <li> <nbsp> <ol> <p> <small> <strike> <strong> <sub> <sup> <table> <td> <th> <tr> <tt> <u> <ul>
  • Snippets of code should be wrapped in <code> tags not <pre> tags. In fact, <pre> tags should generally be avoided. If they must be used, extreme care should be taken to ensure that their contents do not have long lines (<70 chars), in order to prevent horizontal scrolling (and possible janitor intervention).
  • Want more info? How to link or How to display code and escape characters are good places to start.
Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others admiring the Monastery: (5)
As of 2024-03-28 20:34 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found