TAP, automated site monitoring, and gzip encoding.
Mark Taylor
m.b.taylor at bristol.ac.uk
Fri Jul 1 08:46:50 PDT 2011
Regarding support of BINARY-encoded VOTables: any code which uses
STIL will read them just as happily as TABLEDATA-encoded ones.
Although BINARY-encoding was a bit slow to appear in VOTable
parsers, I have the impression that it's fairly widespread these
days, though it would be interesting to hear one way or the other
from the relevant developers. I would certainly expect a VOTable-aware
application or toolkit to provide this support, since it's a mandatory
part of the VOTable standard. One exception however is (presumably)
processing done using XSLT - this is unlikely to make sense of VOTable
data which is not presented as TRs and TDs.
Mark
On Fri, 1 Jul 2011, Tom McGlynn wrote:
> [I hit reply rather than reply all, so originally this went only to Paul.
> TMcG.]
>
> In my discussions with the security people, they made it clear that both the
> query and the results were part of what made the transaction suspicious. They
> explicitly stated that were the results gzip-encoded we would not have
> triggered their alarms. One alternative that Mark Taylor suggested in another
> message was to use binary-encoded VOTables. GAVO uses these, so I've just
> begun to support reading them myself, but I'd not seen them elsewhere. Is
> support for reading these widespread? TOPCat handles them of course.
>
> Tom
>
> Paul Harrison wrote:
> > On 2011-06 -30, at 21:35, Tom McGlynn wrote:
> >
> > > NASA sites are a prominent target for hackers and so Goddard uses
> > > automated tools that look for a variety of exploits including SQL
> > > injection attacks. Currently TAP schema queries can trigger these. While
> > > our security folks don't want to be too specific as to what the triggers
> > > are I believe that the combination of:
> > >
> > > Support of arbitrary SQL in the query
> > > Lack of passwords
> > > Results that look like table schemas (because they are)
> > > Output in clear text
> > >
> > > play a major role in making things look suspicious. While they can turn
> > > off checking altogether that would mean that any real successful SQL
> > > injection attack could go undetected and we have lots of attempts every
> > > day.
> > >
> > > One solution that I had hoped might work was to use a GZIP transfer
> > > encoding (or content encoding) for the query results. Unfortunately it
> > > doesn't look like clients currently note the HTTP encoding headers.
> > >
> > > NASA is probably a bit more paranoid about this than some, but I suspect
> > > that this will become a more common issue as time goes on.
> > > Support for content or transfer encoding is an HTTP level issue so I don't
> > > think it requires any change to the TAP standard, just clients that look
> > > for the appropriate HTTP headers. Would it be reasonable to request that
> > > clients support gzip encoding? In addition to address this security issue
> > > I suspect this would generally substantially decrease the size of
> > > downloaded data and make our queries more responsive.
> > >
> > Surely the appearance of SQL in the query is the what triggers the anti-hack
> > filter - the results cannot be the cause as they are in VOTable and I would
> > be very surprised if any anti-hacker tools know about VOTable....
> > So I bet looking for some form of encoding for the query would be more
> > effective in this case - however if it was any sort of standard encoding
> > then the anti-hacker tool ought to be decoding it anyway if it is any good,
> > so I think that would not work either...
> >
> > SQL injection attacks are a legitimate concern for the implementors of TAP
> > servers too - don't pass the query in a raw unparsed state straight to your
> > database in your TAP server...So I think that the TAP server implementations
> > have to be the guardians in this case and the general anti-hack tool turned
> > off for the TAP servers...
> >
> >
> > Paul.
>
>
--
Mark Taylor Astronomical Programmer Physics, Bristol University, UK
m.b.taylor at bris.ac.uk +44-117-928-8776 http://www.star.bris.ac.uk/~mbt/
More information about the dal
mailing list