A Tale of Two Addresses
Output encoding is a tool, not a hammer. Or maybe it's a hammer.
For ThreatModCon, we had our first ever tradeshow booth for Shostack + Associates. Before I got to the hotel, I had been carefully tracking delivery of our new banner and table throw. When I got there, I immediately went to collect them, and learned that the hotel couldn’t find the banner. They said that the “SPolk” whose name was shown on the Fedex tracking ... wasn’t a name anyone recognized. In fact, when we called Fedex, they claimed that they didn’t have a delivery scan, and didn’t know where the package was. (They still haven’t updated us on their case.)
If you look at the image, you’ll see that one of the addresses starts “Adam "hotel guest"” and ends with “Shosta.” The other says “Adam 'Hotel guest' Shostack.” It seems obvious that this was a security measure.
Eventually, a concierge managed to find the package for us, and I wanted to share the image, which shows that my practice of putting “hotel guest” in the name field messed up delivery. I know it was Fedex because we bought the two items from the same company, and one shipped Fedex, the other UPS.
Apparently, my threat modeling focused on the threat of the hotel rejecting the package. I didn’t consider the threat of bad appsec. I’ve since been advised to not include quotes, parentheses or anything else, and just include Guest at the end.
And while this was both intensely frustrating as we couldn’t put up our banner in the morning, and very funny as to the cause, there’s an important lesson to be had here. It’s very likely that Fedex applied a layer of output encoding to the name information. And that broke things for my delivery. Arbitrarily adding or removing encodings can be dangerous, and security experts frequently “slather” them on. I’m growing fond of the “domain driven design” paradigm, where the object that owns “name” or perhaps “delivery address” incorporates all the rules: character sets, lengths, relationship to the geographic information.. I don’t know what all of those are, but I do know I’d have had a banner day if someone else had brought the knowledge together.
