Most active commenters

    ←back to thread

    Writing "/etc/hosts" breaks the Substack editor

    (scalewithlee.substack.com)
    642 points scalewithlee | 13 comments | 25 Apr 25 13:48 UTC | HN request time: 0.819s | source | bottom
    1. paxys ◴[25 Apr 25 14:09 UTC] No.43793735[source]
    This isn't a "security vs usability" trade-off as the author implies. This has nothing to do with security at all.

    /etc/hosts

    See, HN didn't complain. Does this mean I have hacked into the site? No, Substack (or Cloudflare, wherever the problem is) is run by people who have no idea how text input works.

    replies(5): >>43793752 #>>43793805 #>>43793852 #>>43793880 #>>43794047 #
    2. macspoofing ◴[25 Apr 25 14:10 UTC] No.43793752[source]
    My thought exactly - this isn't an example of balance between "security vs usability" - this is just wrong behaviour.
    3. orlp ◴[25 Apr 25 14:15 UTC] No.43793805[source]
    This is like banning quotes from your website to 'solve' SQL injection...
    replies(1): >>43794623 #
    4. eli ◴[25 Apr 25 14:19 UTC] No.43793852[source]
    It's a text string that is frequently associated with attacks and vulnerabilities. In general you want your WAF to block those things. This is indeed the point of a WAF. Except you also don't want it to get in the way of normal functionality (too much). That is what the security vs usability trade off is.

    This particular rule is obviously off. I suspect it wasn't intended to apply to the POST payload of user content. Perhaps just URL parameters.

    On a big enough website, users are doing weird stuff all the time and it can be tricky to write rules that stop the traffic you don't want while allowing every oddball legitimate request.

    replies(1): >>43796052 #
    5. mystifyingpoi ◴[25 Apr 25 14:23 UTC] No.43793880[source]
    > is run by people who have no idea how text input works

    That's a very uncharitable view. It's far more likely that they are simply using some WAF with sane defaults and never caught this. They'll fix it and move on.

    replies(1): >>43796676 #
    6. gav ◴[25 Apr 25 14:36 UTC] No.43794047[source]
    It's more so that Cloudflare has a WAF product that checks a box for security and makes people who's job it is to care about boxes being checked happy.

    For example, I worked with a client that had a test suite of about 7000 or so strings that should return a 500 error, including /etc/hosts and other ones such as:

      ../../apache/logs/error.log
  AND%20(SELECT%208203%20FROM%20(SELECT(SLEEP(5)))xGId)
  /../..//../..//../..//../winnt/system32/netstat.exe?-a
    We "failed" and were not in compliance as you could make a request containing one of those strings--ignoring that neither Apache, SQL, or Windows were in use.

    We ended up deploying a WAF to block all these requests, even though it didn't improve security in any meaningful way.

    replies(3): >>43794824 #>>43804273 #>>43819015 #
    7. betenoire ◴[25 Apr 25 15:29 UTC] No.43794623[source]
    "magic quotes" have entered the chat :D
    8. krferriter ◴[25 Apr 25 15:43 UTC] No.43794824[source]
    > For example, I worked with a client that had a test suite of about 7000 or so strings that should return a 500 error

    > We "failed" and were not in compliance as you could make a request containing one of those strings--ignoring that neither Apache, SQL, or Windows were in use.

    this causes me pain

    9. SonOfLilit ◴[25 Apr 25 17:04 UTC] No.43796052[source]
    Your auditor wants your WAF to block those things. _You_, at least I, never ever want to have a WAF at all, as they cause much more harm than good and, as a product category, deserve to die.
    10. immibis ◴[25 Apr 25 17:58 UTC] No.43796676[source]
    with insane defaults FTFY
    11. WesolyKubeczek ◴[26 Apr 25 15:07 UTC] No.43804273[source]
    Why in the world should those be 500 even? Those all are "40x client fuckup".

    I guess someone was told, when compiling those strings, that they should observe this known-good implementation (that actually crashed upon receiving such things) and record whatever it returns, and then mandate it of everyone else from now on.

    12. ta1243 ◴[28 Apr 25 08:41 UTC] No.43819015[source]
    What is their desired behaviour if not a 404? A 500? a FIN? a RST?
    replies(1): >>43823337 #
    13. gav ◴[28 Apr 25 16:39 UTC] No.43823337{3}[source]
    The desired result is a 500 so it's possible to audit.

    As much as this is a pain, the alternative can be more painful.

    I used to have a client that would forward me an email from their security team every six weeks saying "we found a SQL injection issue with your site, can you look into this and confirm that it's fixed?" and I'd reply back saying "that not possible" and they'd go "ok, we've marked this as a false positive".

    Eventually I got bored of having the same conversation over and over, so I asked them to show what they were finding. It turned out their scan would do the following:

      html1 = request("https://example.com/search?query=test")
  html2 = request("https://example.com/search?query=test' or 1=1--")
  if (html1 != html2) 
    sql_injection_vulnerable = true
    Which of course is total nonsense, just because it returns different content doesn't mean anything.

    This is a perfect use case for a WAF, I can stick one in front and then have it return 500s for all these requests and not worry about it any more.

    In our case, we didn't have a WAF, but they had a obvious User-Agent, and it turns out that blocking all of their requests passed the scan too :)