Why you can’t just enterely rely on Intrusion Prevention/Detection Systems

First things first: I must say hello and welcome to the very first post of In Security We Trust (ISWT)! I’ve wanted to open an IT security blog for many many years but never got the time or patience to do it.

Today I wanted to talk about how thin is the line between security and (IN)security, and why we can’t just rely on an IPS/IDS. And here it goes today’s subject: how could an attacker hack any eBay account in just a few minutes (or less than just that). An Egipcian security researcher,Yasser H. Ali, reported the following vulnerability followed by this PoC:

As you can see on the video, eBay guys mistakenly used the same value for what it were supposed to be two different variables -or at least, two different values-, probably because they used the very same name for them: “reqinput”. So, the value used on the password restore link should have been a secret one that should never had to be exposed on server responses. Not to say extra data like IP Address/Client Agent/Session/etc. could have also been good for helping to detect an unwanted password reset POST.

Anyway, of course not only an Intrusion Detection System could have never notice this kind of attack, but also an Intrusion Detection System would have never stopped anyone from abusing this bug. This reminds us how important is to focus on our most critical value of our applications: developers. Never stop instructing them, security is always a continuous process.

Welcome to In Security We Trust!
See you!

Deja un comentario