In recent years, the battle for software security has largely moved into the area of web applications with vulnerabilities such as cross-site scripting and SQL injection dominating mailing lists and bulletin boards once populated by buffer overruns and format string attacks. Web applications present an attractive attack target because of their wide attack surface and the potential to gain access to sensitive information such as credentials and credit card numbers, or to perform unauthorized actions on the part of innocent users, which is routinely accomplished with cross-site scripting (XSS) and cross-site request forgery (XSRF) attacks.
While security experts routinely bemoan the current state of the art in software security, from the standpoint of the application developer, application security requirements present yet another hurdle to overcome. Given pressure for extra functionality, other concerns such as performance and security often do not receive the time they deserve. While it is common to blame this on developer education, a big part of the problem is that it is extremely easy to write unsecure code.
By way of illustration, consider an application that prompts a user for her name and sends a greeting back through the browser. The following example illustrates how one can accomplish this task in a Java/J2EE application:
ServletResponseStream out = resp.getOutputStream( );out.println(“<p>Hello, ” + username + “.</p>”);However, the apparent simplicity of this example is deceptive. Assuming string “username” is supplied as application input, this piece of code is vulnerable to a cross-site scripting attack. Since JavaScript can be embedded into “username,” when the request is processed within the web application, this script will be passed to the client's browser for execution, enabling a variety of malicious activity.
In effect, the most natural way to achieve the task of printing the user's name is unsafe. To make this secure, the developer has to apply input sanitization, which is often a tedious and error prone task. Further, after the issue of data sanitization has been dealt with, the developer still needs to consider all the ways in which tainted input can propagate through the application and make sure it is sanitized on all paths.