Comments on: Webapp security: Different DB permissions for different requests http://www.brainonfire.net/2008/01/12/set-db-permission-per-request/ Tim McCormack, distilled. Wed, 08 Oct 2008 02:58:09 +0000 http://wordpress.org/?v=2.6 By: Tim McCormack http://www.brainonfire.net/2008/01/12/set-db-permission-per-request/#comment-22347 Tim McCormack Sun, 13 Jan 2008 05:12:08 +0000 http://www.brainonfire.net/2008/01/12/set-db-permission-per-request/#comment-22347 Don't be daft. Of course it's harder to use POST than GET. I know that forms can be auto-submitted in iframes, but it's easier to set up a CSS background-image-based attack in forums and other areas that get a lot more traffic. So yeah, from a layered security standpoint, it <em>is</em> advantageous to add these couple lines of code. Don't be daft. Of course it's harder to use POST than GET. I know that forms can be auto-submitted in iframes, but it's easier to set up a CSS background-image-based attack in forums and other areas that get a lot more traffic. So yeah, from a layered security standpoint, it is advantageous to add these couple lines of code.

]]> By: Cairnarvon http://www.brainonfire.net/2008/01/12/set-db-permission-per-request/#comment-22346 Cairnarvon Sun, 13 Jan 2008 04:53:19 +0000 http://www.brainonfire.net/2008/01/12/set-db-permission-per-request/#comment-22346 There's a good way to do design by contract, a lot of bad ways, and a huge number of meaningless ways. This would be an example of a meaningless way. And trust me, I know more about CSRF than you do, if you think it's harder to use POST than GET with it. There's a good way to do design by contract, a lot of bad ways, and a huge number of meaningless ways. This would be an example of a meaningless way.

And trust me, I know more about CSRF than you do, if you think it's harder to use POST than GET with it.

]]> By: Tim McCormack http://www.brainonfire.net/2008/01/12/set-db-permission-per-request/#comment-22312 Tim McCormack Sat, 12 Jan 2008 19:53:40 +0000 http://www.brainonfire.net/2008/01/12/set-db-permission-per-request/#comment-22312 @Cairnarvon: I take it you have a similarly low opinion of assertions, preconditions, postconditions, and other design-by-contract mechanisms? Ever read up on CSRF? And did you know that you're not logged into your site anymore? <img src="http://cairnarvon.rotahall.org/wp-login.php?action=logout"> @Cairnarvon: I take it you have a similarly low opinion of assertions, preconditions, postconditions, and other design-by-contract mechanisms? Ever read up on CSRF? And did you know that you're not logged into your site anymore?

]]> By: Cairnarvon http://www.brainonfire.net/2008/01/12/set-db-permission-per-request/#comment-22310 Cairnarvon Sat, 12 Jan 2008 19:24:48 +0000 http://www.brainonfire.net/2008/01/12/set-db-permission-per-request/#comment-22310 <blockquote>Why not enforce this at the permissions level?</blockquote> Because it's a waste of time? I hope you don't think forcing the distinction between GET and POST passes for any kind of input validation. All you're really doing is adding a roadblock for yourself as a developer. One you generally shouldn't be running into if you're being consistent in your implementation, but one that's completely unnecessary when you do run into it. At best, this falls under "enforcing design principles purely for the sake of design principles". Very <i><b>ENTERPRISE READY</b></i>.

Why not enforce this at the permissions level?

Because it's a waste of time? I hope you don't think forcing the distinction between GET and POST passes for any kind of input validation.

All you're really doing is adding a roadblock for yourself as a developer. One you generally shouldn't be running into if you're being consistent in your implementation, but one that's completely unnecessary when you do run into it.
At best, this falls under "enforcing design principles purely for the sake of design principles". Very ENTERPRISE READY.

]]>