Arbitrary Code

Do you let people run arbitrary code?

In the web development world, the most dangerous security vulnerability is allowing users to run arbitrary code on your server. Failing to protect your server will result in them doing whatever they want. I certainly remember when one of the website I was working on was getting hacked daily. When I finally discovered the vulnerability 3 years later, I realized that in addition to stealing our traffic the culprit used our network of machines as zombies to DDOS and brute-force password on WordPress websites.

There are many ways to attempt to run code on a server. The day the shellshock vulnerability was discovered, I checked my server logs and it was pouring with attempts to run code on this server.

There are also multiple ways to secure your machine from all these attacks. You can setup a firewall, you can escape user input to prevent SQL injection. You can filter out user input to prevent cross-site scripting, you can keep your server up to date. You can prevent the user to send you anything that is not what you expect.

// Selecting which field and order to sort by
// url: example.org/report?field=date&order=asc

$fields = ["title","location","date","total","..."];
$directions = ["asc","desc"];

$sortField = isset($_GET["field"])? $_GET["field"]:"";
$order = isset($_GET["order"])? $_GET["order"]:"";

$sortField = in_array($sortField,$fields)? $sortField : $fields[0];
$order = in_array($order,$directions) ? $order : $directions[0];

In the example above, if the user manually changes the value to something else it will result back to the default values, there are no other options.

Hacking computers can be very hard. On protected machines, sometimes the attacker have to be very creative to find a way in. That's why social engineering is more powerful then any other attack.

Why is social engineering powerful? Because you get to run arbitrary code for free. This time the machine is the victim's head. When you talk to a person, she has no choice but to think about what you said. Even when you ignore someone, you can still hear him, and you are still affected by what he says.

Unlike the computer code, we can't simply patch these bugs. When the TV is on in the other room and you numbed your hearing to it, the moment the reporter says "X amount of people died", you automatically go on alert.

When someone plays a joke on you and tell you false information, you process that information and react accordingly. Whether it's a silly thing or an off-putting joke, you react to it. You execute this code with high privilege in your brain. Think the boy who cried wolf.

Social engineering is used to take advantage of this weakness or as Patrick McKenzie put it, "a flaw in MonkeyBrainOS 1.01 which we haven't patched yet".

The pro-advertisement insist that it is your choice, no matter how invasive an ad is, it is your choice to pay attention to it. We have somewhat evolved to ignore banner ads, our eyes automatically focus on the content of a page ignoring everything else. But that only works for a static message. Auto playing videos are arbitrary code automatically running in your brain even if we don't want to.

Addictive games with in-app purchase take advantage as well. It is the only way to win, you have to purchase more gems.

Game of war horrible game

Profitable despite being the crappiest game

When you are walking in a metropolis plastered with movie posters, giant screens, Coca Cola, Victoria secret, Game of War... Despite how much you think you are ignoring it, you are storing this information in your own database. The advertiser can run this code later in a more convenient time.

The old adage says "You are the average of your five closest peers". The reason is these people get to execute code in your head constantly. The best you can do is surround yourself with people you share ideas with. People you want to be influence by. People who are a positive force in your life.

It may seem harmless to put a troll back to his place on a forum, but the more you do it, the more you give access to their ideas to your brain. You might find yourself bashing a little too many people one day, becoming a troll yourself.

There is not much we can do. We are bombarded with messages from all over the place. The best you can do is stay away from the things you don't like. And embrace the things you do. But every so often, take the time to re-evaluate your choices. Are these the things you want to do? Or are they something you fell into because someone executed code in your brain. Re-evaluate!

This post is totally inspired by that comment from Patrick McKenzie


Comments

There are no comments added yet.

Let's hear your thoughts

For my eyes only