Jan. 23, 2018, 12:36 p.m.

Brain Dead Security

There is a module in the technology world called ModSecurity that can function as a plugin to a web server and help detect and prevent certain kinds of web based attacks. In principle this is a good thing, especially considering the increasing amount of online attacks.

However, the rules are mostly retarded. I have developed a system for a client that is running ModSecurity, and this application makes standard use of random session ID values stored in cookies that get sent with every request to validate the person. This is basic Computer Science 101 - we have been using cookies to store a session ID since some of the first web based applications were launched.

The problem is with rule ID 981260 - randomly, one day a user could not proceed to the home page after being successfully authenticated on the log in page. The server kept on showing Permission Denied errors for every single page visited. After some digging it turned out the problem was with the brain dead assumption made by the author of that rule - that no valid, legitimate cookie value will ever contain the sequence k0x2e2 which can also be found in some SQL injection attacks. However, session ID values are just random strings of characters. In this case, the system happened to generate a session Id with the value cnyn5f51tq1iipk0x2e2uanj9hnywiis, which triggered this rule and blocked the user's access.

This mistake is just as stupid as if you were trying to find your name in a list of names; say your name is John, so you write a program that searches whether that list of names contains the consecutive letters "john". The list looks as follows:

  1. Ben Affleck
  2. Jessica Biel
  3. Johnny Depp

So now you found a match because you are Johnny Depp. So stupid.