Feeds

Rich data: the dark side to Web 2.0 applications

With great programming comes great responsibility

Securing Web Applications Made Simple and Scalable

All web applications allow some form of rich data, but that rich data has become a key part of Web 2.0. Data is "rich" if it allows markup, special characters, images, formatting, and other complex syntax. This richness allows users create new and innovative content and services.

Unfortunately, richness affords attackers an unprecedented opportunity to bury attacks targeting users and systems downstream of the offending application or service supplier.

Even in the early days of Web 2.0, this is a huge problem: at least half the vulnerabilities that plague web applications and web services involve some form of injection.

The software industry already has a poor reputation for delivering software that doesn't work or contains security holes. Imagine how bad things will get in a world where people pick up vulnerabilities and hacks by connecting to dynamic web sites and "mashing up" applications.

Here are some things to bear in mind, to protect both your reputation and your users' systems and data.

Unscramble the egg

One of the oldest security principles in the book is you should always keep code and data separate. Once you mix them together, it's almost impossible separate them again. Unfortunately, most of the data formats and protocols we're using today mixing code and data like a bad DJ hashing up a cross fade. That's why injection is going to be with us for a long time.

HTML is one of the worst offenders. JavaScript code can be placed in a huge number of places with dozens of different forms and encodings - see the XSS cheatsheet for some examples. HTML allows JavaScript in the header, body, dozens of event handlers, links, CSS definitions, and style attributes.

There's no simple validation that can detect all the variants of code in all these places. However, you have to have a full security parser to validate HTML data before you can use it.

Untrusted data is code

Almost everything connected to the internet will execute data if an attacker buries the right kind of code in it. The code might be JavaScript, VB, SQL, LDAP, XPath, shell script, machine code or a hundred others depending on where that data goes.

SQL injection is just an attacker sneaking malicious SQL inside user inputs that gets concatenated into a query. Injected code isn't just a snippet anymore - it might be a huge program.

What's important to remember is that every piece of untrusted data - every form field, every URL parameter, every cookie, and every XML parameter - might contain injected code for some downstream system. If you're not absolutely sure there is no code in the data - and that's pretty much impossible - then for all you know, that data is really a little program. There is no such thing as plain old "data" anymore.

Bridging the IT gap between rising business demands and ageing tools

Next page: Chain-gang attack

More from The Register

next story
NO MORE ALL CAPS and other pleasures of Visual Studio 14
Unpicking a packed preview that breaks down ASP.NET
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
KDE releases ice-cream coloured Plasma 5 just in time for summer
Melty but refreshing - popular rival to Mint's Cinnamon's still a work in progress
Cheer up, Nokia fans. It can start making mobes again in 18 months
The real winner of the Nokia sale is *drumroll* ... Nokia
Put down that Oracle database patch: It could cost $23,000 per CPU
On-by-default INMEMORY tech a boon for developers ... as long as they can afford it
Another day, another Firefox: Version 31 is upon us ALREADY
Web devs, Mozilla really wants you to like this one
Google shows off new Chrome OS look
Athena springs full-grown from Chromium project's head
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.