Programming & Security Vulnerabilities & Logging

-

It's not always easy to be a programmer! - Ask any coder what one of the most annoying things is to do and it is "debugging".  Trying to figure out why the nice, beautiful code you just wrote, does not do exactly what you expected it to do!

One of the main difficulties in writing software is the inability to imagine all of the possibilities a user might intend to use it for, which often is far greater then what the programmer had intended.

To do this we need to use our imagination to think questions like "what happens if a user types "X"?' or what should happen when the user enters letters in a number only field?. What if the user hits both the return key and the escape key at the same time? Often even the user doesn't even know why they 'did' it the way they did it..from their point of view that just seemed the 'obvious' thing to do !

In programming tech-talk we call this "Defensive Programming" and while the reality is we can never be 100% sure what the user will try with our software, in order to ensure the best possible user experience, we need to try and predict these unusual situations and provide an appropriate response.  Machines don't have behaviors on their own, it is only what the programmers put into it.

When a user  tells us something is 'wrong', it can also be difficult for them to communicate the specific steps they followed that caused their error. Often they cannot easily think of all the steps they did to cause the problem, and it is those specific steps (and our ability to re-produce them) that are vital to finding and correcting it in the future.

This is where log files become extremely invaluable.  By writing out to the log file what was happening just before the error, we can troubleshoot the exact steps that led up to the problem. Eg:

    9:25am - User Logged into the Application

    9:28am - User created a new Contact

    9:30am - User entered Contact Phone Number with text "see fathers phone number"

    9:31am - Exception in thread "main" class org.geekwisdom.PhoneNumber cannot be cast to class  java.lang.String

When we see the error we can recognize. Ah Ha! - the user didn't type in an actual phone number, they typed "see fathers phone number", and because there was nothing to 'catch' this problem, the software crashed.

Typically we can set the 'verbosity' of the log file, so that if we cannot determine why it crashed, we can increase how much is written to the file so that the next time we can get a bit closer to what went wrong.

Often times these logs are created using existing logging frameworks within the language. Log4j is an example of a logging framework used by countless java applications to make it easier for programmers to write details to a log file.  A simple way a programmer might write a log file such as above might be something like the simple statement:

 log.debug("User entered Contact Phone number with text" + PhoneNumber.getText());

But what happens when our logging framework fails?

Just like any other bit of programming, the people who maintain the framework make assumptions / educated guesses on how the users will use it.. and sometimes they simply don't (can't) think of everything.

One of the things that often gets drilled into us as young programmers is to always sanitize the user input before using it.  This is to ensure that the input is not trying to do anything 'nefarious' things and gain access to data they should not have access too.

A common example is known as "SQL Injection" suppose you have a login and password screen, and your code checks that password with something like this

"SELECT * FROM UserTable WHERE username=" + username + " and password = " + password;

where 'username' and 'password' were the username and password typed by the user.

But if the user types something like " ' OR 1=1' instead of the user password. This can be problematic ie:

SELECT * FROM UserName WHERE username="brad" and password='' OR 1=1" will always return true (because 1 = 1) even if the password isn't filled in.

So we should "know" better from making this kind of mistake right?

But surely writing our own log files is safe? right?.

Consider the example above:

 log.debug("User entered Contact Phone number with text" + PhoneNumber.getText());
Simple enough right? - It lets us know in our log file what the user typed so we can figure out what went wrong.

Except suppose for phone number the user instead types something like:


Now the logging system downloads the 'reverse_bash_server.class' executes it and allows user to remotely log into your system and gain access to all of your data!

And this is why today there are potentially hundreds? thousands? of machines out there capable of being exploited because who would have every imagined a need to sanitize the input that is output to a log file?

But at the end of the day, we never know what the user will try to do, and we need to constantly 'defend' against it.

You can read more about the log4j problem @ https://logging.apache.org/log4j/2.x/security.html

If you were imaginative enough to think to sanitize your input from users type in text in  the format ${} before writing it to a lot file then you are one of the lucky ones already safe and sound, (and you are not using any other 3rd parties that weren't as 'smart' as you)

Another good article to teach you about "lookups" and 'jndi" see: https://blog.sebastian-daschner.com/entries/log4shell-and-how-to-fix

GeekWisdom  Java Tools -> https://github.com/geekwisdom/gwJavaTools has been updated to use log4j 2.16 so as to be patched against this vulnerability.

Edit: Fixed error of 'AND 1=1' to 'OR 1 = 1'
If you liked this post please consider sharing via your favorite social networks!!

and ..if you like my blogging, video, audio, and programming - please consider becoming a patron and get exclusive access @ Patreon.com/GeekWisdom

Comments

Post a Comment

Popular posts from this blog

Programming Rant - Stop the Insanity!! - .NET 7 is not the successor to .NET 4.8

-
Image
  .NET 7 IS THE SUCESSOR TO .NET 6 .NET 6 IS THE SUCESSOR TO .NET 5 .NET 5 IS THE SUCESSOR TO .NET CORE 3 ...drum roll please... .NET 5 IS NOT THE SUCESSOR TO .NET 4.8 !! ! At the time of this blog their is no .NET path after .NET 4.8. Microsoft will continue to support, patch and update .NET 4.8 for the foreseeable future, though will likely not continue to 'add new' to it. (but they also said this about .NET 4.5.2 and have continued to update it so far to .NET 4.8..so take that with a bit of a grain of salt) Microsoft's "naming" policy of the .NET line and the .NET Core, and .NET Standard is rather foolish from a logical point of view, but it does have some good "salesman" characteristics. Software Development Companies can try to sell the idea in peoples minds to upgrade .NET 4.8 to ..NET 7 and make a bundle in the process - even though Microsoft itself fully admits it is not ending any support for .NET 4.8 This is based on the mistaken idea that a la...
Read more

Everything in Moderation...

-
Image
 You've probably heard it from a health professionals, in ads or from that local gym.  Can I eat some chocolate? How about a bag of chips? Everything is okay to to eat... in moderation.. right? I am fortunate have been born in a part of the world that values human rights and freedoms. One of these in particular is the 'right' to free speech. We have the right to say what we feel and think, positive or negative, to share our thoughts with others - this is an important aspect of society. Just follow one of the many tweets from Elon Musk, and you can see how much he believes in Free Speech, or for charges brought against others who have attempted to the hinder free speech of others In our world, we are constantly inodiated with information, with the free speech of those around us, and the responsibilities that come with it. There is a man I admire greatly, who gave a lot of talks over his lifetime - his name is Dr Wayne Dyer. He gives one speech about an orange, that truly cha...
Read more

So I started a Podcast ! - The G33k Dream Team .

-
Image
  *** HELP WANTED *** It was a dark and stormy night - okay well actually it was about 9AM on a Friday the 13th that I received a Facebook (messenger) message from Matt Gabrielson.. but the story starts a little earlier than that. About one year earlier, to be precise, on Jan 13th 2022, I sent Matt a message asking if I could write a guest blog on his site.  It took him over 1 year to respond - not because he wasn't fast at responding but because it took over 1 year for the message to show up in his Facebook Messenger. So we did an interview together for his YouTube channel it is called " What is GeekWisdom ", it was an opportunity to discuss GeekWisdom , how it started and what it meant. As of the time of this article, that video had more views then any of his other interview thus far, so when a few weeks later he contacted me as if I wanted to start a podcast with him, I jumped at the opportunity. The format is pretty simple, at least once a month (on the 4th), we are g...
Read more

Diabetes is not caused by eating too much sugar !!!

-
Image
 It makes me cringe every time I see a meme like this ! TLDR; -> Please help support finding a cure for Type 1 diabetes. I made this video for my local community Facebook page and it was rejected. I'm hoping you can help support the fight! To Donate:  https://jdrf.akaraisin.com/ui/jdrfwalk2023/p/1fc07cd8d6214688ad239471dfa31a88 ---- I worry, sometimes, that people really believe this is true, that eating a lot of sugar gives you diabetes. Suggesting that those that have diabetes are somehow 'responsible' for it because they ate too much sugar. This is utter nonsense ! ..and probably makes it hard to raise money to support finding a cure for diabetes - if the person is 'at fault' then why help them right? A person who chooses to smoke cigarettes, drink excessive amounts of beer, or engage in 'recreational' drug use, literally made a choice (in most cases) to put toxic chemical in their body - and yes I know people have addiction problems and need help - bu...
Read more

Buy Local - the online way

-
Image
 This post is about buy local, but not the way you might think. It fact, it's more of a 'Think Local', and by that I mean supporting the 'small business' in the tech industry. We all know who the tech giants are out there, so not much point of me linking to them (and advertising them for free). You can get your social networking for free, your email for free. I'm willing to bet the very web browser you are reading this on now was guess what -- free! The internet, for all it's positives and negatives, is effective at bringing people together, at letting us communicate with others half way around the globe, like they were a neighbor in our own back yard. So when offered something for free many people jump on it downloading he latest free browser, signing up for free webmail, joining large social networks - and why not right? The thing is none of this is really for 'free' these big companies are in it for big profit, and they do it simply by selling you...
Read more

Software Tools - Productivity or Distraction?

-
Image
  I was looking for a file today on a Microsoft Teams site, so I go into teams, look under files, when all of a sudden I see a chat request from another member in another teams site, so I jump over to help answer their question. Feeling proud of myself I then head back to do some more work on my plate. Ten minutes later I realized, wait a minute - wasn't I just looking for that file? We live in a world, full to the brim of distractions.  One of my favorite perks of 'work from home' is at least people can't just 'walk into my cubicle' asking questions whenever they feel like it. I have much more time to focus on what I promised to deliver when I promised, and people really appreciate that. Software Tools should help us be more productive, and not provide us with new and novel distractions. But like most things in life, it's just not that simple! When my kids were young, I bought them some electronic toys, a robot for example that walked around made funny beep...
Read more

Child Rights and Confidentiality

-
 Does a child have right to confidentiality in the same regard as an adult has this right ? And if so, should this right be limited in ways not limited to an adult? Does the parent hold a right to know the deepest thoughts and feelings of their child? And does that right override the child’s right to confidentiality?   For the purpose of this discussion, we will consider child as under the age of 16 or otherwise considered a ‘minor’ in the eyes of the law. Under Canadian Law (and within the laws of many other free countries) confidentiality is limited with respect to reports of harm to oneself of others.   In other words, you cannot confidentiality report to anyone your intent to harm yourself or another person and reasonably expect that information to not be reported. For the most part, other than the rule above, individuals are free to have confidential discussions between one another not to be repeated outside of that discussion. Generally speaking children c...
Read more

Way back then...Apple ][

-
The way I remember it... It was the fall of 1993, I had just started Grade 11, near the far end of the hallway of my highschool were 2 classes. 'Typing' and 'Computer Related Studies'.  It was the first year I would actually have 'computers' as a course in school, which I was pretty excited for. I only had an old Vic 20 at the time, but was hoping for a new IBM Clone 80386 for Christmas (I got my wish, it was from the Sears catalog and at the time was like close to $2000) I was quite familar with programming in BASIC, but I got a specific book at the local library on AppleSoft Basic to learn to program in the APPLE 2.  Most of the first part of the year was all about 'computer' history. We actually didn't spend too much time using the computers in the lab, which was fine, I enjoyed learning about the history, plus I was part of the school newspaper that year so I got to use the Apples running the newspaper program "The Newsroom". Wh...
Read more

You should be able to do that...

-
Image
Everyone in life has different *things* which cause frustration.  For me often the primary source of frustration is around language and communication. A recent lifehacker podcast "How to get Your Point Across Online"  reminded me of how easy it is to fall into the trap of 'You should be able to do that...' There are many things I am not very good at, at least not in the not so humble opinion of others. I am not a multitasker, I cannot listen to/respond to more than one conversation at  time. I cannot remember things well (or where I put them) without prompts or reminders, and I quickly become anxious when confronted with a new situation that scares me, and it takes time for me to process my emotions. It is so easy for others to dismiss my 'quirkiness' as a flaw either in my ability as a person or in my personality. I suppose in people's mind we setup a "personna" of what every person should be able to do, and if they cannot just 'do it', ...
Read more

ChatGPT and Artificial General Intelligence

-
Image
 Recently on Twitter, there is an upcoming twitter space talking about Artificial General Intelligence and ChatGPT. The question posed is indeed interesting. In is important to note that this question occurs frequently throughout our history. One of the very first chatbots Eliza  stunned users into thinking it was possible to create an artificially intelligent machine.  The notion of "artificial general intelligence" wasn't even an idea in someone's mind. The term only needed to be added to our vernacular once it was agreed that the algorithms being created did in fact perform at a level beyond what human intelligence could do within a specific context. (eg: computer beats human at chess, at Go, at Jeopardy), software can interpret human speech, read handwriting, understand the context of a sentence, and even prove theorems, and produce new artistic  works never created or known before by humans.  All items only dreamed of only in science fiction a mere 50-60 y...
Read more