Merge branch 'antipattern/filter-on-arbitrary-input-like-request-get'

hapytex · Feb 6, 2023 · 5a64f5a · 5a64f5a
2 parents 04978e1 + ec7ee43
commit 5a64f5a
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/antipattern/filter-on-arbitrary-input-like-request-get.md b/antipattern/filter-on-arbitrary-input-like-request-get.md
@@ -22,7 +22,7 @@ passed follows Django's ORM conventions, it can filter on all sorts of related m
 
 # Why is it a problem?
 
-Exactly that, it is very flexible. This means that someone with some knowledge of Django can abuse that system to obtain sensitive data. Indeed, you could for example filter on: `/my-path?author__secret__lte=M`, this can then be used to use binary search for example to "guess" the secret stored in a field named `secret` that the `Author` model might contain. The "hacker" can make a lot of requests and each time validate whether a certain object still appears in the result. If the secret is an alphanumerical string of hundred characters, it takes at most *log<sub>2</sub>(63<sup>100</sup>)=598* guesses to guess the secret. While this may look as a lot, this can easily be automated to guess secrets. A Slack API token is shorter and has a smaller *alphabet*, so that can be guessed in at most 183 requests.
+Exactly that, it is very flexible. This means that someone with some knowledge of Django can abuse that system to obtain sensitive data. Indeed, you could for example filter on: `/my-path?author__secret__lte=M`, this can then be used to use binary search for example to "guess" the secret stored in a field named `secret` that the `Author` model might contain. The "hacker" can make a lot of requests and each time validate whether a certain object still appears in the result. If the secret is an alphanumerical string of hundred characters, it takes at most *log<sub>2</sub>(63<sup>100</sup>)&approx;598* guesses to guess the secret. While this may look as a lot, this can easily be automated to guess secrets. A Slack API token is shorter and has a smaller *alphabet*, so that can be guessed in at most 183 requests.
 
 Guessing a UUID, Slack API token, etc. this might be easier than expected. If the hacker makes some requests, one can easily find out, by looking when it returns a 404/500 error page how the modeling looks like, and eventually make a limited number of guesses to expose such secrets. It thus makes the system vulnerable to determine data you want to hide from an unauthenticated or different user.