←back to thread

Writing "/etc/hosts" breaks the Substack editor

(scalewithlee.substack.com)
601 points scalewithlee | 9 comments | 25 Apr 25 13:48 UTC | HN request time: 0.001s | source | bottom
Show context
Y_Y ◴[25 Apr 25 14:13 UTC] No.43793778[source]
Does it block `/etc//hosts` or `/etc/./hosts`? This is a ridiculous kind of whack-a-mole that's doomed to failure. The people who wrote these should realize that hackers are smarter and more determined than they are and you should only rely on proven security, like not executing untrusted input.
replies(6): >>43793862 #>>43793868 #>>43793954 #>>43794072 #>>43794473 #>>43802345 #
jrockway ◴[25 Apr 25 14:21 UTC] No.43793868[source]
Yeah, and this seems like a common Fortune 500 mandatory checkbox. Gotta have a Web Application Firewall! Doesn't matter what the rules are, as long as there are a few. Once I was told I needed one to prevent SQL injection attacks... against an application that didn't use an SQL database.

If you push back you'll always get a lecture on "defense in depth", and then they really look at you like you're crazy when you suggest that it's more effective to get up, tap your desk once, and spin around in a circle three times every Thursday morning. I don't know... I do this every Thursday and I've never been hacked. Defense in depth, right? It can't hurt...

replies(3): >>43793920 #>>43795851 #>>43799653 #
bombcar ◴[25 Apr 25 14:25 UTC] No.43793920[source]
I love that having a web application firewall set to allow EVERYTHING passes the checkbox requirement ...
replies(1): >>43794124 #
1. CoffeeOnWrite ◴[25 Apr 25 14:44 UTC] No.43794124[source]
(I’m in the anti-WAF camp) That does stand to improve your posture by giving you the ability to quickly apply duct tape to mitigate an active mild denial of service attack. It’s not utterly useless.
replies(2): >>43794206 #>>43794423 #
2. elevation ◴[25 Apr 25 14:52 UTC] No.43794206[source]
Doesn't it also add latency to every request?
replies(4): >>43794319 #>>43794346 #>>43795846 #>>43796742 #
3. tough ◴[25 Apr 25 15:05 UTC] No.43794319[source]
I think the main point is the WAF companies must have lobbied to get that into the checklist

the main point is you need to pay a third party

replies(1): >>43795569 #
4. krferriter ◴[25 Apr 25 15:14 UTC] No.43794423[source]
Denial of service prevention and throttling of heavy users is a fine use, searching for a list of certain byte strings inside input fields and denying requests that contain them isn't.
5. CoffeeOnWrite ◴[25 Apr 25 16:30 UTC] No.43795569{3}[source]
You can call your existing reverse proxy a WAF to check this checklist item. (Your point still stands, on the median companies may opt to purchase a WAF for various reasons.)
replies(1): >>43800140 #
6. formerly_proven ◴[25 Apr 25 16:49 UTC] No.43795846[source]
So does running McAfee on every POST body but some places really wanna do that regardless. (I at least hope the scanner isn't running in the kernel for this one).
replies(1): >>43796491 #
7. jrockway ◴[25 Apr 25 17:42 UTC] No.43796491{3}[source]
Yeah, we were asked to do this at my last job by some sort of security review. This one doesn't bother me as much. "Display 'network error' whenever a user uploads a file containing 'SELECT *'" is a bad user experience. "Some files in this repository have been flagged as containing a virus and are not visible in the web interface until allowed by an administrator," is OK with me, though.
8. swyx ◴[25 Apr 25 18:04 UTC] No.43796742[source]
sure but how much? 3-10ms is fine for the fast protection when shit hits the fan.
9. zelphirkalt ◴[26 Apr 25 01:36 UTC] No.43800140{4}[source]
Often it is just pushing responsibility.