Achieving protocol security: Gunter ollmann, x-force security assessment services.

Position:Internet Focus

Having assessed the security of several dozen commercial web applications personally, and overseen the assessment of many more, it is always surprising to see the number of high-risk security flaws that developers have left behind. Most worryingly, a major proportion of vulnerabilities are due to a basic misunderstanding of the Internet protocol and system software used to host or use the web application. As organisations have improved their perimeter defence systems and are in the process of rigorously applying the latest security fix from their operating system providers, attackers have been forced to focus their destructive attention on the security flaws lying within the organisation's custom-developed web applications. Many developers fail to understand the nuances of the HTTP protocol and assume that it is too difficult, or not worth the trouble, for an attacker to launch an attack at their custom application. Developers must assume that every packet of data not coming from the organisations hosts and servers, can be modified. Relying upon the REFERER field (a field present in almost all browser requests e.g. Referer: in the header of a clients page request or data submission, to have come from a legitimate link on the site is extremely dangerous, as it can be easily circumvented. Similarly, relying upon the HOST field in submissions from the application server in intra-server communications is equally dangerous.

Infrequently, "security aware" sites manage to correctly implement input validation rules for client data--unfortunately, all client-side checking and data validation processes can be bypassed by an attacker using commonly available tools and methodologies. The only safe solution is to validate all client content at the server-side before processing further within the application. Too often the input of unexpected characters (e.g. single quote, plus, etc.), numbers or data lengths to submission fields result in errors that reveal the inner workings of the application. Using this information an attacker can craft data payloads, tailored to the custom application, that can compromise the integrity of the organisation's data or hosts.

Most developers tend to assume that the data supplied to their application by the hosting software will be correct and safe. Many server compromises have been achieved when the hosting software has failed to identify and correctly restrict client URLs to...

To continue reading