Over 50% of all new vulnerabilities being identified on a weekly basis are attributed to web applications (SANS @RISK, The Consensus Security Vulnerability Alert)
More than 80% of all malware that emerged in the past year focus on application-level vulnerabilities (various sources, 2006).
In June 2006, 92 SQL injection and 34 cross-site scripting (XSS) new vulnerabilities were recorded on our database (Secunia)
The rationale behind HTTP protocol is to favor easy, quick and light communication and inter-connection. It has been designed to extensively share information, without really addressing security aspects. Indeed, these were considered as a constraint, supposed to slow traffic down and restrain freedom. As Jon Postel states (a key contributor of internet Requests For Comments) in his Law be conservative in what you do, be liberal in what you accept from others (Sept. 1981).
Very well known security principles are confidentiality, availability, integrity and auditability (ability to answer key questions such as who, what, when, where, to whom). HTTP protocol gives poor result on these aspects. HTTPS improves confidentiality aspects during transit but if initial traffic was malicious, web server will receive and process malicious SSL traffic ! Web protocols hardly authenticate, only partly guarantee confidentiality and integrity, do not protect against spoofing
Keep in mind that an URL sent by a browser is a command line to your web server : for instance an URL generating an SQL command or activating a CGI script.
At last, web protocols do not impose input validation, this is the major cause of their insecurity !
A solution is needed as web architectures are increasingly adopted in core IT systems !
The third article is about coding secure web sites
Richard Touret is manager at Binarysec, http://www.binarysec.com , security software company editing an intelligent web application softwall -or software firewall-. This Apache module adapts on most web sites, learning legitimate traffic to block any malicious request, including sql injection, cross-site scripting, directory traversal, forceful browsing, command injection, parameter tampering, attack obfuscation, buffer overflow... |
