un-excogitate.org
what was I thinking? (Christian Frichot’s ad-lib on security and what-not)

Tags

Categories



Archive
Meta:
Jun
17.
Word of the Day: Idempotence
No Comments
Category: Computers, Profession, Security

Whilst wading through some of the standards at work I stumbled upon this word and naturally I ended up at Wiki (and Answers) to figure out what it meant.

In mathematics the concept of idempotence roughly means that “some operation yields the same result whether it is done only once or several times…

When looking at this term in computer science it refers to when a function, or RPC call, or web-service call, or any type of operation in a distributed system, “can be safely called repeatedly, since a single call or multiple calls produce the same result and the same side effects to the entire system as a whole.

Answers has a few examples which explain what this concept means, two of these are:

  • C header files, which “are often designed to be idempotent, that is, if the header file is included more than once (as can easily happen with nested #included files), then nothing untoward happens – the effect is the same as if a file had been included only once.
  • and HTTP GET Requests, which “are assumed to be idempotent. The web infrastructure uses this assumption to cache the result of these requests.

As you can see the computer science meaning of this term does morph the original mathematics semantics just slightly, regardless the concept is quite interesting and does play a part in securing web applications. In particular when designing input/output and using HTTP protocols as they were originally intended, such as submitting changed, non-idempotent data with POST instead of GET.

Where this is potentially vulnerable is where web apps are designed to use GET requests to modify databases, or other state changes. In addition to these requests being cache-able, and therefore recalled, it can also lead to unsuspecting 3rd parties making system changes. A number of sources highlight that the potential source of this problem is that the HTTP RFC leaves the handling of GET calls as inferred to be idempotent, when they may be implemented differently – obviously left up to the programmer.

A good example of this type of exploit is when digg.com allowed users to add friends just by visiting a URL, ie http://digg.com/invitefrom/{username}.


Post Comment

Please notice: Comments are moderated by an Admin.

Powered by Wordpress
Theme © 2005 - 2009 FrederikM.de
BlueMod is a modification of the blueblog_DE Theme by Oliver Wunder