Re: RFC 9205 vs. CL0P

The ransomware attack in question, was kicked off by three unauthenticated POST requests (this is as I understand it). The first one went to port 80, but didn't work. The second one, also went to port 80 but did work. The third one, was the same as the second, but went to port 443. The SQL endpoint's response was an authentication challenge. But the URI query string (:80) or payload (:443) were processed anyway. BINGO!



So, please forgive me if I have trouble writing RFC 9205 4.5.3 POST... MUST NOT process "representation data or payload" unless and until the request has been authenticated, doesn't roll off the tongue. But that's the gist of what I'm saying, takes less time to just hack someone this way than it does to write the BP spec admonishing against it. Such attacks being so prevalent for at least a quarter century now... apparently needs to be identified as a worst practice, in a positive manner of course.



-Eric

Received on Friday, 7 July 2023 08:42:07 UTC