Rich data: the dark side to Web 2.0 applications
With great programming comes great responsibility
All web applications allow some form of rich data, but that rich data has become a key part of Web 2.0. Data is "rich" if it allows markup, special characters, images, formatting, and other complex syntax. This richness allows users create new and innovative content and services.
Unfortunately, richness affords attackers an unprecedented opportunity to bury attacks targeting users and systems downstream of the offending application or service supplier.
Even in the early days of Web 2.0, this is a huge problem: at least half the vulnerabilities that plague web applications and web services involve some form of injection.
The software industry already has a poor reputation for delivering software that doesn't work or contains security holes. Imagine how bad things will get in a world where people pick up vulnerabilities and hacks by connecting to dynamic web sites and "mashing up" applications.
Here are some things to bear in mind, to protect both your reputation and your users' systems and data.
Unscramble the egg
One of the oldest security principles in the book is you should always keep code and data separate. Once you mix them together, it's almost impossible separate them again. Unfortunately, most of the data formats and protocols we're using today mixing code and data like a bad DJ hashing up a cross fade. That's why injection is going to be with us for a long time.
There's no simple validation that can detect all the variants of code in all these places. However, you have to have a full security parser to validate HTML data before you can use it.
Untrusted data is code
SQL injection is just an attacker sneaking malicious SQL inside user inputs that gets concatenated into a query. Injected code isn't just a snippet anymore - it might be a huge program.
What's important to remember is that every piece of untrusted data - every form field, every URL parameter, every cookie, and every XML parameter - might contain injected code for some downstream system. If you're not absolutely sure there is no code in the data - and that's pretty much impossible - then for all you know, that data is really a little program. There is no such thing as plain old "data" anymore.
Would you open an HTML document sent to you?
One factor that makes detecting these attacks difficult is that the web enables so many different types of encoding. There are more than 100 different character encodings, and we've added higher level encodings such as percent-encoding, HTML-entity encoding, and bbcode on top of those.
The real nightmare here is that anywhere downstream, systems may decode this data and reawaken a dormant attack. So, even if your application isn't vulnerable to injection, someone might use the data from your application or service.
As Web 2.0 continues to mashup data from different sources, the likelihood of these attacks increases.
Stamp out injection
You should view untrusted data as though it's malicious code and treat it accordingly: validate, separate, and encode.
Validate: have a whitelist input validation rule for every input - no exceptions. Not just for form fields, but hidden fields, URL parameters, headers, cookies, and all backend systems.
Separate: don't mix up the data into command strings. Wherever possible, you should use parameterized interfaces, such as PreparedStatement in Java, that prevent injection by keeping code and data separate.
Show you care
Injection is not a new problem - we've known about it for decades. The body of knowledge on XSS and SQL injection is extensive. If your system forwards an attack to an innocent victim, though, you not only make yourself look bad but in the Web 2.0 world there's a chance your software will lead to wider a proliferation of attacks than was possible in the bad old days.
Jeff Williams is the founder and CEO of Aspect Security and the volunteer chair of the Open Web Application Security Project. His latest project is the Enterprise Security API, a free and open set of foundational security building blocks for developers.