This week, Gunter Ollmann, manager of X-Force Security Assessment Services at Internet Security Systems, looks at the security issues faced by web application developers.
In my line of work it is inevitable, but always shocking, to see the number of high-risk security flaws developers have left behind. Most worryingly, a major proportion of vulnerabilities are due to a basic misunderstanding of the internet protocol and system software used to host or use the web application.
Many developers fail to understand the nuances of the HTTP protocol and assume that it is too difficult, or not worth the trouble, for an attacker to assault their custom application. Developers must assume that every packet of data not coming from the organisation's hosts and servers can be modified.
Infrequently, 'security aware' sites manage to correctly implement input validation rules for client data. Unfortunately, all client-side checking and data validation processes can be bypassed by an attacker using commonly available tools and methodologies.
The only real solution is to validate all client content at the server-side before processing further within the application.
Too often the input of unexpected characters (e.g. single quote, plus, etc.), numbers or data lengths to submission fields, result in errors that reveal the inner workings of the application.
With this information the attacker can craft data payloads tailored to the custom application that compromise the integrity of the organisation's data or hosts.
Most developers tend to assume that the data supplied to their application by the hosting software will be correct and safe.
Many server compromises have been achieved when the hosting software has failed to identify and correctly restrict client URLs to directory paths related to the web application's data paths.
A lethal habit among too many developers is the use of whatever file and access permissions they need to get the application running correctly, no matter what they are.
Commercial developers of popular operating systems and hosting software have also failed to grasp many of the nuances.
Many of the disclosed vulnerabilities relating to alternative character representations (e.g. escape and Unicode encoding) could have been averted by following existing HTTP guidelines and a multitude of RFCs on handling client data, particularly the recommendation to ensure that data is only ever decoded once.
Authentication processes have always been pivotal in securing critical applications. Organisations consistently fail to grasp the many different methods by which clients can access their web application, and the scope of functionality that their browsers may possess.
Fundamental security best practices are often not observed. Authentication failures such as 'This user does not exist' or 'The password is incorrect', while helpful to site clients, also help attackers compromise the authentication process through automated processes.
Unfortunately, the knowledge required to ensure that a web application has been developed securely is currently reserved to only a small proportion of developers and security professionals.
Although there are many books and electronic documents detailing the specific risks of known security flaws, and advising on good programming techniques, information on developing secure web-based applications is difficult to find for many developers.
While there are many courses on how to program in C, or develop .ASP applications, courses specifically tuned to system developers on the necessary security fundamentals are not currently available.
Cotton seedling freezes to death as Chang'e-4 shuts down for the Moon's 14-day lunar night
Fortnite easily out-earns PUBG, Assassin's Creed Odyssey and Red Dead Redemption 2 in 2018
Meteor showers as a service will be visible for about 100 kilometres in all directions
Saturn's rings only formed in the past 100 million years, suggests analysis of Cassini space probe data
New findings contradict conventional belief that Saturn's rings were formed along with the planet about 4.5 billion years ago