Reading this article was an exercise in frustration. Mass SQL Injection Attack Hits 1 Million Sites. The sum of it is that over a million ASP.Net websites were written and put online after someone had deliberately disabled input validation. This isn’t an insecure default. Folks turned off the security feature on purpose!
I’ve worked on a lot of software projects and can picture what probably happened all too well. Someone was working on some piece of the web application and ran into a validation error when testing the site. Maybe they had a deadline coming up, or just gave up figuring the problem out. Hopefully it wasn’t a case where they just didn’t care. The end result was rather than figure out what triggered the issue and work through it, someone brought up the idea of turning off the validation.
It was a small change. Just flip this:
<%@ Language="C#" ValidateRequest="true" %>
to this:
<%@ Language="C#" ValidateRequest="false" %>
Hey it works! At least until they got owned. Then it was lots of stress, work and fear of unemployment.
This not a problem limited only to ASP.Net developers. Think back and remember the times that a firewall rule was set to default permit because someone was in a hurry. Or the time that someone got frustrated figuring out file system permissions and gave the Everyone group Full Control to a directory. Or worse, set that daemon to run as root. It happens and it’s all too tempting while in full firefighting mode or coming up on a deadline. But is it really worth it? Or do we find out later that the Easy Button really was the wrong one?
Take some time and save yourself or co-workers the grief. Resist the urge to push the Easy Button and don’t give an attacker an easy shot.