Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

As it could so easily be seen as bashing/trolling I need to preface this question by saying that I'm asking in complete seriousness.

How does one accidentally set the failure mode of any piece of authentication code to escalate privileges instead of denying them? Even when I was first learning to code web apps I never found myself accidentally accepting any password.

It's shocking (to me, at least) because it seems like such a beginner mistake.



On possibility: A developer short circuits permissions checking for local testing and accidentally checks in the change. But automated testing should catch these kinds of mistakes.


Lots of ways, for example: Delegate authentication to another server, have your authentication server go down, mess up a try/catch clause in your app that doesn't handle a bad connection correctly

It's very doubtful something like Dropbox is as simple as

  if(user.hashedPassword == sha1(salt + enteredPassword)) {
    letUserIn();
  } else {
    error();
  }
Who knows though, it could have been something even as simple as

  if(user.hashedPassword == sha1(salt + enteredPassword)) ; {
    letUserIn();
  }
Now everyone gets in!


Sample code:

Production

----------

@authenticate

def foobar():

    ....
Development

-----------

#@authenticate ( Because developers are lazy, while testing)

def foobar():

    ....
And accidentally pushing the code, with authentication decorator (python) commented.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: