Re: RFC 9205 vs. CL0P from Eric J Bowman on 2023-07-07 (ietf-http-wg@w3.org from July to September 2023)

From: Eric J Bowman <mellowmutt@zoho.com>
Date: Fri, 07 Jul 2023 02:28:10 -0700
To: "Eric J Bowman" <mellowmutt@zoho.com>
Cc: "Ietf Http Wg" <ietf-http-wg@w3.org>
Message-Id: <1892fae2950.108b8d117143177.6276093177143153954@zoho.com>

Even if authenticated, accepting SQL requests fails to embrace a key architectural precept, i.e. information hiding behind a uniform interface. I dealt with an online vendor the other day, who was using NetSuite and I knew it because the URI pattern included *.cfm i.e. Cold Fusion Markup Language (lol, who else uses that now). You have to work really hard to code CFML to not abstract SQL into named, stored procedures.



This key architectural precept is not reflected in RFC 9205 and I'm not sure how to change that.



The next aspect of the ransomware attack was installing a "web shell." 9205 4.7 kinda gets close... maybe it's out-of-scope, but recommend a white list of headers, to sanitize requests? I'm sure the pirates have a best-practice document for how to sneak SQL requests and "X-*" headers *iff* the target is vulnerable to such attacks. Shouldn't our BP document explain this? No criticism implied, 9205's WIP, these are just my thoughts on the matter in light of current reality.



-Eric

Received on Friday, 7 July 2023 09:28:21 UTC