Many of the web applications out there today explain that they are secure. According to the Web Hacker's Handbook, many sites tout their SSL as their claim to be secure. Of course, SSL is good - it prevents eavesdropping and keeps your content safe between browser and server over the Internet.
The fundamental security problem with most web applications is that the input is not under direct control of the application. Users all over the world can submit any arbitrary inputs to the application. The developers of the target application must therefore assume that each piece of input is malicious. The list of the Top 25 Most Dangerous Programming Errors compiled by the SANS institute and the MITRE organization in January 2009 describe the top 2 errors that revolve around malicious input and improper escaping of outputs.
The simple fact is that any user anywhere in the world can craft a special string to any publically accessible application that can wreak havoc for the organization. Couple that with the fact that the user doesn't have to use a web browser to interact with the application. There are numerous tools out there that are freely downloadable that can interact with web applications, even trapping the request from the client before it gets to the server and provides the attacker the ability to modify certain parameters that can totally bypass any validations.
Next post will get into the beginnings of how to use tools to completely map a target application.
No comments:
Post a Comment