This week, Gunter Ollmann, manager of X-Force Security Assessment Services at Internet Security Systems, looks at the security issues faced by web application developers.
In my line of work it is inevitable, but always shocking, to see the number of high-risk security flaws developers have left behind. Most worryingly, a major proportion of vulnerabilities are due to a basic misunderstanding of the internet protocol and system software used to host or use the web application.
Many developers fail to understand the nuances of the HTTP protocol and assume that it is too difficult, or not worth the trouble, for an attacker to assault their custom application. Developers must assume that every packet of data not coming from the organisation's hosts and servers can be modified.
Infrequently, 'security aware' sites manage to correctly implement input validation rules for client data. Unfortunately, all client-side checking and data validation processes can be bypassed by an attacker using commonly available tools and methodologies.
The only real solution is to validate all client content at the server-side before processing further within the application.
Too often the input of unexpected characters (e.g. single quote, plus, etc.), numbers or data lengths to submission fields, result in errors that reveal the inner workings of the application.
With this information the attacker can craft data payloads tailored to the custom application that compromise the integrity of the organisation's data or hosts.
Most developers tend to assume that the data supplied to their application by the hosting software will be correct and safe.
Many server compromises have been achieved when the hosting software has failed to identify and correctly restrict client URLs to directory paths related to the web application's data paths.
A lethal habit among too many developers is the use of whatever file and access permissions they need to get the application running correctly, no matter what they are.
Commercial developers of popular operating systems and hosting software have also failed to grasp many of the nuances.
Many of the disclosed vulnerabilities relating to alternative character representations (e.g. escape and Unicode encoding) could have been averted by following existing HTTP guidelines and a multitude of RFCs on handling client data, particularly the recommendation to ensure that data is only ever decoded once.
Authentication processes have always been pivotal in securing critical applications. Organisations consistently fail to grasp the many different methods by which clients can access their web application, and the scope of functionality that their browsers may possess.
Fundamental security best practices are often not observed. Authentication failures such as 'This user does not exist' or 'The password is incorrect', while helpful to site clients, also help attackers compromise the authentication process through automated processes.
Unfortunately, the knowledge required to ensure that a web application has been developed securely is currently reserved to only a small proportion of developers and security professionals.
Although there are many books and electronic documents detailing the specific risks of known security flaws, and advising on good programming techniques, information on developing secure web-based applications is difficult to find for many developers.
While there are many courses on how to program in C, or develop .ASP applications, courses specifically tuned to system developers on the necessary security fundamentals are not currently available.
NatWest outage comes a day after Barclays' IT systems shut out customers and staff
The ICO is concerned with AggregateIQ's retention and processing of data used in the Brexit referendum
Map selection, quick menus for grenades and healing items and automatic reload coming in PUBG update #22
Could be used for everything from search-and-rescue robots to wearable tech