Feeds

Rich data: the dark side to Web 2.0 applications

With great programming comes great responsibility

Internet Security Threat Report 2014

All web applications allow some form of rich data, but that rich data has become a key part of Web 2.0. Data is "rich" if it allows markup, special characters, images, formatting, and other complex syntax. This richness allows users create new and innovative content and services.

Unfortunately, richness affords attackers an unprecedented opportunity to bury attacks targeting users and systems downstream of the offending application or service supplier.

Even in the early days of Web 2.0, this is a huge problem: at least half the vulnerabilities that plague web applications and web services involve some form of injection.

The software industry already has a poor reputation for delivering software that doesn't work or contains security holes. Imagine how bad things will get in a world where people pick up vulnerabilities and hacks by connecting to dynamic web sites and "mashing up" applications.

Here are some things to bear in mind, to protect both your reputation and your users' systems and data.

Unscramble the egg

One of the oldest security principles in the book is you should always keep code and data separate. Once you mix them together, it's almost impossible separate them again. Unfortunately, most of the data formats and protocols we're using today mixing code and data like a bad DJ hashing up a cross fade. That's why injection is going to be with us for a long time.

HTML is one of the worst offenders. JavaScript code can be placed in a huge number of places with dozens of different forms and encodings - see the XSS cheatsheet for some examples. HTML allows JavaScript in the header, body, dozens of event handlers, links, CSS definitions, and style attributes.

There's no simple validation that can detect all the variants of code in all these places. However, you have to have a full security parser to validate HTML data before you can use it.

Untrusted data is code

Almost everything connected to the internet will execute data if an attacker buries the right kind of code in it. The code might be JavaScript, VB, SQL, LDAP, XPath, shell script, machine code or a hundred others depending on where that data goes.

SQL injection is just an attacker sneaking malicious SQL inside user inputs that gets concatenated into a query. Injected code isn't just a snippet anymore - it might be a huge program.

What's important to remember is that every piece of untrusted data - every form field, every URL parameter, every cookie, and every XML parameter - might contain injected code for some downstream system. If you're not absolutely sure there is no code in the data - and that's pretty much impossible - then for all you know, that data is really a little program. There is no such thing as plain old "data" anymore.

Choosing a cloud hosting partner with confidence

Next page: Chain-gang attack

More from The Register

next story
Netscape Navigator - the browser that started it all - turns 20
It was 20 years ago today, Marc Andreeesen taught the band to play
Sway: Microsoft's new Office app doesn't have an Undo function
Content aggregation, meet the workplace ... oh
Sign off my IT project or I’ll PHONE your MUM
Honestly, it’s a piece of piss
Return of the Jedi – Apache reclaims web server crown
.london, .hamburg and .公司 - that's .com in Chinese - storm the web server charts
NetWare sales revive in China thanks to that man Snowden
If it ain't Microsoft, it's in fashion behind the Great Firewall
Chrome 38's new HTML tag support makes fatties FIT and SKINNIER
First browser to protect networks' bandwith using official spec
Admins! Never mind POODLE, there're NEW OpenSSL bugs to splat
Four new patches for open-source crypto libraries
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Win a year’s supply of chocolate
There is no techie angle to this competition so we're not going to pretend there is, but everyone loves chocolate so who cares.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.