Naïve Web Applications
Another class of software exploits youre likely to run into if you administer a web server involve poorly programmed web applications that dont sufficiently check the validity of the data provided to the application by the web user, before using that data in the program. Youve probably seen your share of web applications before. The way most web applications work is that a user fills in some data on a web form (such as name and address for a mailing list) and clicks submit, or clicks on an order button next to an item on an e-commerce site then the data is transmitted to the web server and the application picks up the data and uses it.
Just as programmers sometimes dont anticipate the sheer magnitude of data a user would throw at a program (in a buffer overflow exploit), they sometimes dont anticipate the creative types of data a user might type in to a web form field which asks for the users name. Depending on how thoroughly the application checks for invalid data, an attacker might be able to send data containing characters like a single quote mark, semi-colon, dashes, back quotes, percent signs or other characters or words which have special meaning to the web server, application running on the web server, or database and cause it to behave in unanticipated ways that allow the attacker to cause damage. In a particular exploit known as SQL injection, a user embeds database commands into data submitted to a web form.
A complete explanation of this is far beyond the scope of this book, but the exploitation of software vulnerabilities in web applications is becoming more and more common, and those who follow the field of computer security are citing it as an area of concern. For example, the most recent OpenHack challenge, OpenHack 496, in which systems are made available over the Internet and users are invited to challenge their security, focuses on application security and involves both Microsoft and Oracle applications.
The important thing to remember about software exploits is that you can help protect your systems against them by keeping the software you run up to date, and by educating programmers in your organization on how to write secure code. Two excellent references on this subject are: Writing Secure Code97 by Michael Howard and David LeBlanc, the Open Web Application Security Project Guide98, and Designing Secure Web-Based Applications for Microsoft Windows 200099 by Michael Howard et. al.
If youre writing web applications, or know someone in your company who does, we cant say it strongly enough -- THEY NEED THIS INFO. If they dont think they need it, then, seriously, they REALLY need it, because its likely theyve made a false assumption or two about what safe web application coding looks like.
97. Howard, Michael and David LeBlanc, Writing Secure Code, Microsoft Press, November, 2001, http://www.nerdbooks.com/item.html?id=0735615888
99. Howard, Michael, Marc Levy, Richard Waymire and Doug Bayer, Designing Secure Web-Based Applications for Microsoft Windows 2000, Microsoft Press, July, 2000, http://www.nerdbooks.com/item.html?id=0735609950
Home - Table Of Contents - Contact Us
CertiGuide for Security+ (http://www.CertiGuide.com/secplus/) on CertiGuide.com
Version 1.0 - Version Date: November 15, 2004
Adapted with permission from a work created by Tcat Houser et al.
CertiGuide.com Version © Copyright 2004 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.