Code Smell - Squatting-Python Tutorial-php.cn

Home

Backend Development

Python Tutorial

Code Smell - Squatting

PHPz

Aug 14, 2024 am 10:38 AM

Don't use guessable names in advance on mission-critical resources

TL;DR: Secure your cloud resources by avoiding predictable naming patterns.

Problems

Predictable names
Unauthorized access
Data exposure risks
Shadow resources
Account takeovers
Idor vulnerability
Premature Optimization

Solutions

Use unique bucket names with dark keys
Verify ownership on creation
Secure resources fully
Have indirections obfuscating real names
Book names to prevent squatting
Randomize names

Context

Resource squatting happens when attackers anticipate the naming patterns of cloud resources, like S3 buckets.

The attacker creates them in regions where the user hasnï¿½t yet deployed resources.

User interaction with these attacker-owned resources can lead to severe security breaches like data exposure, unauthorized access, or account takeovers.

This vulnerability is critical in environments like AWS, where predictable naming conventions are often used.

Many systems avoid this indirection fearing the performance penalty which is a clear case of premature optimization.

Sample Code

Wrong

def create_bucket(account_id, region):
    bucket_name = f"aws-glue-assets-{account_id}-{region}"
    create_s3_bucket(bucket_name)  
   # This is deterministic and open

Right

import uuid

def create_bucket(account_id, region):
    unique_id = uuid.uuid4().hex
    # This number is not deterministic
    # is a way to generate a random UUID (Universally Unique Identifier) 
    # in Python and then retrieve it as a hexadecimal string.
    bucket_name = f"aws-glue-assets-{unique_id}-{account_id}-{region}"
    create_s3_bucket(bucket_name)
    verify_bucket_ownership(bucket_name, account_id)

Detection

[X] Automatic

A security audit can detect this smell by analyzing your resource names for predictability.

Look for patterns in names that an attacker can easily anticipate or guess.

Many automated tools and manual code reviews can help identify these risks.

Level

[X] Intermediate

AI Generation

AI generators may create this smell using standard templates with predictable naming patterns.

Always customize and review generated code for security.

AI Detection

AI can help detect this smell if configured with rules that identify predictable or insecure resource naming conventions.

This is a security risk that requires understanding of cloud infrastructure and potential attack vectors.

Conclusion

Avoiding predictable naming patterns is critical to securing your cloud resources.

Always use unique, obscure, hard-to-guess names, and also verify resource ownership to protect against squatting attacks.

Relations

Code Smell 120 - Sequential IDs

Maxi Contieri ・ Mar 10 '22

More Info

Gb Hackers

Wikipedia

Disclaimer

Code Smells are my opinion.

Credits

Photo by Felix Koutchinski on Unsplash

The only system which is truly secure is one which is switched off and unplugged, locked in a titanium lined safe, buried in a concrete bunker, and is surrounded by nerve gas and very highly paid armed guards. Even then, I wouldn't stake my life on it.

Gene Spafford

Software Engineering Great Quotes

Maxi Contieri ・ Dec 28 '20

#codenewbie #programming #quotes #software

This article is part of the CodeSmell Series.

How to Find the Stinky parts of your Code

Maxi Contieri ・ May 21 '21

#codenewbie #tutorial #codequality #beginners

The above is the detailed content of Code Smell - Squatting. For more information, please follow other related articles on the PHP Chinese website!

Statement

The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn

How to Use Python to Find the Zipf Distribution of a Text FileMar 05, 2025 am 09:58 AM

This tutorial demonstrates how to use Python to process the statistical concept of Zipf's law and demonstrates the efficiency of Python's reading and sorting large text files when processing the law. You may be wondering what the term Zipf distribution means. To understand this term, we first need to define Zipf's law. Don't worry, I'll try to simplify the instructions. Zipf's Law Zipf's law simply means: in a large natural language corpus, the most frequently occurring words appear about twice as frequently as the second frequent words, three times as the third frequent words, four times as the fourth frequent words, and so on. Let's look at an example. If you look at the Brown corpus in American English, you will notice that the most frequent word is "th

How Do I Use Beautiful Soup to Parse HTML?Mar 10, 2025 pm 06:54 PM

This article explains how to use Beautiful Soup, a Python library, to parse HTML. It details common methods like find(), find_all(), select(), and get_text() for data extraction, handling of diverse HTML structures and errors, and alternatives (Sel

Image Filtering in PythonMar 03, 2025 am 09:44 AM

Dealing with noisy images is a common problem, especially with mobile phone or low-resolution camera photos. This tutorial explores image filtering techniques in Python using OpenCV to tackle this issue. Image Filtering: A Powerful Tool Image filter

How to Perform Deep Learning with TensorFlow or PyTorch?Mar 10, 2025 pm 06:52 PM

This article compares TensorFlow and PyTorch for deep learning. It details the steps involved: data preparation, model building, training, evaluation, and deployment. Key differences between the frameworks, particularly regarding computational grap

Introduction to Parallel and Concurrent Programming in PythonMar 03, 2025 am 10:32 AM

Python, a favorite for data science and processing, offers a rich ecosystem for high-performance computing. However, parallel programming in Python presents unique challenges. This tutorial explores these challenges, focusing on the Global Interprete

How to Implement Your Own Data Structure in PythonMar 03, 2025 am 09:28 AM

This tutorial demonstrates creating a custom pipeline data structure in Python 3, leveraging classes and operator overloading for enhanced functionality. The pipeline's flexibility lies in its ability to apply a series of functions to a data set, ge

Serialization and Deserialization of Python Objects: Part 1Mar 08, 2025 am 09:39 AM

Serialization and deserialization of Python objects are key aspects of any non-trivial program. If you save something to a Python file, you do object serialization and deserialization if you read the configuration file, or if you respond to an HTTP request. In a sense, serialization and deserialization are the most boring things in the world. Who cares about all these formats and protocols? You want to persist or stream some Python objects and retrieve them in full at a later time. This is a great way to see the world on a conceptual level. However, on a practical level, the serialization scheme, format or protocol you choose may determine the speed, security, freedom of maintenance status, and other aspects of the program

Mathematical Modules in Python: StatisticsMar 09, 2025 am 11:40 AM

Python's statistics module provides powerful data statistical analysis capabilities to help us quickly understand the overall characteristics of data, such as biostatistics and business analysis. Instead of looking at data points one by one, just look at statistics such as mean or variance to discover trends and features in the original data that may be ignored, and compare large datasets more easily and effectively. This tutorial will explain how to calculate the mean and measure the degree of dispersion of the dataset. Unless otherwise stated, all functions in this module support the calculation of the mean() function instead of simply summing the average. Floating point numbers can also be used. import random import statistics from fracti

See all articles