Feeds

Rich data: the dark side to Web 2.0 applications

With great programming comes great responsibility

High performance access to file storage

Think about HTML for a minute. We don't really "view" web pages anymore. They're programs. We "run" them in our browser. Even a tiny fragment of HTML can contain a script. Even without JavaScript, web pages can be used for a Cross-Site Request Forgery (CSRF) attacks that perform a series of functions for the attacker. That's a kind of program too.

Would you open an HTML document sent to you?

Chain-gang attack

Attackers have now started to chain these attacks and use them in multiple stages. Consider the recent massive bot attacks that used SQL injection to jam JavaScript code into all the strings in a database. The infected data gets used in a web page and the attack redirects the victim's browser to a site that installs malware. You can imagine attacks that are passed from system to system before they are ever executed and their payload is realized.

One factor that makes detecting these attacks difficult is that the web enables so many different types of encoding. There are more than 100 different character encodings, and we've added higher level encodings such as percent-encoding, HTML-entity encoding, and bbcode on top of those.

The real nightmare here is that anywhere downstream, systems may decode this data and reawaken a dormant attack. So, even if your application isn't vulnerable to injection, someone might use the data from your application or service.

As Web 2.0 continues to mashup data from different sources, the likelihood of these attacks increases.

Stamp out injection

You should view untrusted data as though it's malicious code and treat it accordingly: validate, separate, and encode.

Validate: have a whitelist input validation rule for every input - no exceptions. Not just for form fields, but hidden fields, URL parameters, headers, cookies, and all backend systems.

Separate: don't mix up the data into command strings. Wherever possible, you should use parameterized interfaces, such as PreparedStatement in Java, that prevent injection by keeping code and data separate.

Encode: encode untrusted data for the destination. One thing you absolutely have to do, but almost nobody does, is specify the character set you'll be using. Then you'll need a set of methods that apply the proper encoding for the destination, such as an HTML page, HTML attribute, JavaScript, XPath query, LDAP query and so on.

Show you care

Injection is not a new problem - we've known about it for decades. The body of knowledge on XSS and SQL injection is extensive. If your system forwards an attack to an innocent victim, though, you not only make yourself look bad but in the Web 2.0 world there's a chance your software will lead to wider a proliferation of attacks than was possible in the bad old days.

Jeff Williams is the founder and CEO of Aspect Security and the volunteer chair of the Open Web Application Security Project. His latest project is the Enterprise Security API, a free and open set of foundational security building blocks for developers.

High performance access to file storage

More from The Register

next story
Windows 8.1, which you probably haven't upgraded to yet, ALREADY OBSOLETE
Pre-Update versions of new Windows version will no longer support patches
Android engineer: We DIDN'T copy Apple OR follow Samsung's orders
Veep testifies for Samsung during Apple patent trial
OpenSSL Heartbleed: Bloody nose for open-source bleeding hearts
Bloke behind the cockup says not enough people are helping crucial crypto project
Microsoft lobs pre-release Windows Phone 8.1 at devs who dare
App makers can load it before anyone else, but if they do they're stuck with it
Half of Twitter's 'active users' are SILENT STALKERS
Nearly 50% have NEVER tweeted a word
Windows XP still has 27 per cent market share on its deathbed
Windows 7 making some gains on XP Death Day
Internet-of-stuff startup dumps NoSQL for ... SQL?
NoSQL taste great at first but lacks proper nutrients, says startup cloud whiz
This time it's 'Personal': new Office 365 sub covers just two devices
Redmond also brings Office into Google's back yard
US taxman blows Win XP deadline, must now spend millions on custom support
Gov't IT likened to 'a Model T with a lot of things on top of it'
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
HP ArcSight ESM solution helps Finansbank
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.