Monday, August 13, 2007

Web Application Security

Web applications are at great risks due to the fact that most applications are widely available to anyone with internet access. They often get compromised by script exploits.

Most script exploits require the application to accept malicious input and inject it into a page where it will be executed on the server or in the client browser. The potential damage from such an exploit depends on the script that is being executed (taking over a system, install malware, deleting data...)

The primary defense against script exploit is to never trust the information obtained from users. This apply to both incoming and outgoing data from users (data written to and data pulled from database).

There are many things a developer can do to protect application against script exploits. Data input by users should always be validated. Form elements should be HTML-encoded. Dynamic SQL might be flexible but yet it can compromise your data. Consider parameterized query against SQL queries using string concatenation.

In this simple example:

"Select * From Customers where LastName = " & txtLastName.Value

A malicious user who knows a something about database could turn that SQL statement into:

Select * From Customers Where LastName = 'a'; Delete From Customers Where LastName > ''

And when it gets executed, the database is compromised.

It is very important to understand how users and their data interact with your application. That way you can better protect your data, application and users from script exploits.
For more information on how to protect your web application see Basic Security Practices for Web Applications.

No comments: