Never trust the client

You MUST test the input on the server side if you are going to do any potentionally dangerous things with it.

To answer your question though, the best way to demonstrate a security hole is to demonstrate exploiting it. Gather your coworkers around, enter some invalid data and see the system crash (or worse). Good security is not something that is achieved with only good intentions, it takes real effort and studying to do it right.

A very good guide to the various problems in this area can be found at the Open Web Application Security Project. Read it and let others read it. At the very least it will give your coworkers some feel for the variety of the problems.

-- 
Joost       downtime n. The period during which a system
            is error-free and immune from user input.
[download]

In terms of getting yourself taken seriously, if you feel that your immediate line manager is not listening, it may be time to get political, and go to his boss with your concerns. At the same time, you need to pitch your argument in business terms - somebody could ruin our site! How much would the legal fees cost us? It is worth laying on the paranoia with a trowel.

Also, this is one of the rare instances when the auditor is your friend. Suggest an external security audit of the site. By the way, this work can be quite fun - I know of a few Perlmonks who do this kind of work.

Update:

It seems that iza is following a piece of advice that I decided not to put on my original reply, and gone to look for another job. Good on you iza++.

Your present employers sound a bad outfit to work for, and will probably go out of business when someone trashes their database, or when their clients sue the pants off them. However, I would advise against doing any damage to their system before you leave - they seem quite capable of doing this for themselves!

Good luck with the job hunting. And if you find yourself out of work, you could always try freelancing as a security consultant ;-).

SQL injection I've also found to be scary enough to our DBA to convince him that yes, actually getting rid of semi-colons in input is a good thing (tm).

On a practical note: the Right Way ™ to cope with inserting data in a database is to use DBI's quote method and placeholders. It will escape the right characters for your driver. Ofcourse you still need to test the data if you have special requirements for it, but my point is that you don't need to watch the SQL specific stuff if you just quote the input.

-- 
Joost       downtime n. The period during which a system
            is error-free and immune from user input.
[download]

thanks for all your answers. I'm aware of all this, i know a client must NEVER EVER be trusted, but i just don't manage to make my colleagues understand that. I talked to my $BOSS and his head, and the head of his head, i've talked to the dba, i've talked to the sysadmin, i've talked to the other developpers, i've given them articles to read, and yet they still think we can trust the client ("hey, OUR clients only send good requests" .... <-- it's so stupid, what could i answer ?! - especially that we have some online products, available to anyone connected to the internet !!!) .... as preceptor points out, i couldn't set up a demonstration as i feared to be accused of 'misusing' computer system ... when i asked a permission to set up one, i've been told that this was "a waste of time" and a "waste of resources" ...
well, as i'm already quitting this company, i might set up a demo anyway, they can't fire me anymore and maybe they'll realize how dangerous what they deliver can be ... or ... i won't do anything (provided they don't say the crappy code is mine !) and watch it all crash ....

They can't fire you anymore, true, but as merlyn's case proves, you might find yourself at the wrong end of some serious legal action, however well meant your intentions are.

I am concerned with security myself, too, a lot, in fact. And I, too, have a hard time selling it to the big shots of my company. Although contrary to you I found that already the first hint at immense costs that can be saved helps (That I save myself a lot of repair work as well doesn't seem to phase them at all... oh well.)

When your bosses are so non-insightful (is that insightless?) that they won't even agree to a demo, and you're leaving the company anyway, I'd say, let it pass. If nothing happens, they've got more luck than they deserve - not very probable. If something happens, they don't deserve better, it's none of your concern anymore, and they might (!) realise that you were right.

 

Note: I am aware that what I'm saying here is bad practice. Evil. I would not normally do this, ever! Even deliberately crashing your system for demonstration purposes sends shivers down my spine. Letting your security slide like this cannot be anything else than the ultimate measure!

 

Update: Having submitted this, I realised that this is actually my 50th post. Whoheee! :)

--cs

There are nights when the wolves are silent and only the moon howls. - George Carlin

The other possible outcome of a demonstration is legal action. So be very careful about what you do without permission.

I think you either misunderstood the point that was being made ("never trust the client") or misstated what happened in your original post. You wrote:

The client i wrote was filtering inputs and was making sure that only the expected parameters were sent to the server.

As was stated earlier, you can't rely on the client to filter the inputs, so putting the filtering code back into the client won't solve the problem. The filtering needs to happen on the server. Otherwise, there's nothing to keep someone from writing their own client program to send whatever data to the server.

Also, the most damaging attack (in my opinion) is not one that destroys or obviously corrupts the data. That type of attack is noticed quickly and the data is soon restored from a backup. The most damaging attack is one that modifies the data in small ways: swapping the address of one company with that of another, randomly modifying balances, randomly creating bogus debits/credits, etc. By the time people notice something is wrong (such as when incorrect bills are sent to the wrong companies), you're faced with spending a huge amount of time fixing it. That means tracking down when the problems began, then either restoring the database from just before that point (which might mean blowing away nearly a month's worth of input) or examining each record to determine what is correct and what is not. Not to mention the hit to the company's reputation if they've sent Company A's bill to Company B.

I would suggest you list for them a bunch of things that any decent hacker could do to them, like replace all the database content with dirty words, steal customer data, crash your systems, make your systems unavailable, send fraudulent communications to your customers that appear to be from your company, use your systems to attack some government web server, etc.

I suggest you simply don't get too emotionally involved in whether your employer does things The Right Way™. Believe me, they aren't the only ones that don't.

The truth is that most companies do not base most of their technical decisions solely on technical merit. For us engineers, that can be hard to stomach because we get left to work with something that we consider inferior. The best way to deal with it is probably just to release yourself from personal involvement in it. Don't tie your happiness to it. Don't get stressed about it.

Good luck finding another job. I hope that when you do, you won't just find more of the same problems. There's no point in sugar-coating it though; you probably will.

-sauoq
"My two cents aren't worth a dime.";

Leave a paper trail, especially if you are leaving the company. ignatz made a very good point about where the blame will fall if something does happen to the system.

A disgruntled employee can do a lot of damage...

When visiting the Looking-Glass, one has to walk backwards to get anywhere.

UPDATE: Fixed reference

()-()
 \"/
  `                                                     

As for filtering, we have only heard your side. I have seen my share of convoluted hand-rolled security filters that didn't work. Your's may. Or it may not. But whether or not it does, I learned a long time ago to never take either person's side in a fight without hearing both sides.

Under perl, -T will get you very far with answering these questions too.

I have to repeat what others have said here, you can not trust the client, even if it isn't just a browser, but something closed source and compiled. It is not exactly hard (usually) to capture whatever the client is sending and mimic/"enhance" that yourself. If you aer worried about extra parameters doing any harm, filter server-side! Always! Anything client-side is just cosmetics. :)

This also reminded me about this node by merlyn. Is a good laugh about undoubtedly real security flaws. :)

they ARE used for sql queries, and some can/could be passed to the shell command (fopen() ... !!!) ... and as i said, i'm conscious it's just cosmetics, but it's better than nothing - filtering server side had been removed some time ago ... (and that's something i had coded. Maybe it's not a security problem, maybe they just remove everything i code ... why did they pay me then ? damn i'm getting totally paranoid now ! ;]])

You're not a manager so don't worry about management things. It's not worth the stress.

Neil Watson
watson-wilson.ca

neilwatson says:
You're not a manager so don't worry about management things. It's not worth the stress.

I wouldn't worry about management things, either. But even when you're well documented and can proof that you've told them before, and that you've been right all along, in the end it's you who has clean the mess - because you're paid for it, and, at least in my case, because you're the only one in the company who can do it...

And this is usually a case for a loud "OERK" :)

--cs

There are nights when the wolves are silent and only the moon howls. - George Carlin