Feeds

Rich data: the dark side to Web 2.0 applications

With great programming comes great responsibility

SANS - Survey on application security programs

All web applications allow some form of rich data, but that rich data has become a key part of Web 2.0. Data is "rich" if it allows markup, special characters, images, formatting, and other complex syntax. This richness allows users create new and innovative content and services.

Unfortunately, richness affords attackers an unprecedented opportunity to bury attacks targeting users and systems downstream of the offending application or service supplier.

Even in the early days of Web 2.0, this is a huge problem: at least half the vulnerabilities that plague web applications and web services involve some form of injection.

The software industry already has a poor reputation for delivering software that doesn't work or contains security holes. Imagine how bad things will get in a world where people pick up vulnerabilities and hacks by connecting to dynamic web sites and "mashing up" applications.

Here are some things to bear in mind, to protect both your reputation and your users' systems and data.

Unscramble the egg

One of the oldest security principles in the book is you should always keep code and data separate. Once you mix them together, it's almost impossible separate them again. Unfortunately, most of the data formats and protocols we're using today mixing code and data like a bad DJ hashing up a cross fade. That's why injection is going to be with us for a long time.

HTML is one of the worst offenders. JavaScript code can be placed in a huge number of places with dozens of different forms and encodings - see the XSS cheatsheet for some examples. HTML allows JavaScript in the header, body, dozens of event handlers, links, CSS definitions, and style attributes.

There's no simple validation that can detect all the variants of code in all these places. However, you have to have a full security parser to validate HTML data before you can use it.

Untrusted data is code

Almost everything connected to the internet will execute data if an attacker buries the right kind of code in it. The code might be JavaScript, VB, SQL, LDAP, XPath, shell script, machine code or a hundred others depending on where that data goes.

SQL injection is just an attacker sneaking malicious SQL inside user inputs that gets concatenated into a query. Injected code isn't just a snippet anymore - it might be a huge program.

What's important to remember is that every piece of untrusted data - every form field, every URL parameter, every cookie, and every XML parameter - might contain injected code for some downstream system. If you're not absolutely sure there is no code in the data - and that's pretty much impossible - then for all you know, that data is really a little program. There is no such thing as plain old "data" anymore.

High performance access to file storage

Next page: Chain-gang attack

More from The Register

next story
This time it's 'Personal': new Office 365 sub covers just two devices
Redmond also brings Office into Google's back yard
Oh no, Joe: WinPhone users already griping over 8.1 mega-update
Hang on. Which bit of Developer Preview don't you understand?
Microsoft lobs pre-release Windows Phone 8.1 at devs who dare
App makers can load it before anyone else, but if they do they're stuck with it
Half of Twitter's 'active users' are SILENT STALKERS
Nearly 50% have NEVER tweeted a word
Internet-of-stuff startup dumps NoSQL for ... SQL?
NoSQL taste great at first but lacks proper nutrients, says startup cloud whiz
IRS boss on XP migration: 'Classic fix the airplane while you're flying it attempt'
Plus: Condoleezza Rice at Dropbox 'maybe she can find ... weapons of mass destruction'
Ditch the sync, paddle in the Streem: Upstart offers syncless sharing
Upload, delete and carry on sharing afterwards?
New Facebook phone app allows you to stalk your mates
Nearby Friends feature goes live in a few weeks
Microsoft TIER SMEAR changes app prices whether devs ask or not
Some go up, some go down, Redmond goes silent
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.