1. Technical Field
The present invention relates to web security certification and, more particularly, to the certification of server-side applications.
2. Description of the Related Art
Web applications, particularly commercial ones, are a target for security attacks. If the web application is vulnerable then, depending on the nature of the vulnerability, an attacker can, e.g., inject scripts that abuse other users of the web application and/or steal their data (e.g., using a cross-site scripting or cross-application request forgery payload) or exploit the server side of the web application (e.g., using a log-forging or command-execution payload). A consumer of the web application or web service is sometimes able to inspect its client side application, either manually or by using an automated scanning tool, but the consumer does not normally have access to the server side of the web application.
This leaves the users of a web application or service without any way to protect themselves from server-side vulnerabilities. Even if the users operate a scanning tool on the client side and find no vulnerabilities, the server side may still process its incoming data in an unsafe way by, e.g., failing to apply proper sanitization/validation in some or all cases. This is particularly the case when the server side is mostly correct in terms of its security enforcement, but nonetheless suffers from a few subtle or hard-to-find vulnerabilities.
Solutions have been developed to boost the user's confidence in a website. Third party scanners embed a “trustmark” in the client side of the website, indicating that the server application has been scanned and found to be safe. The inherent problem remains, however, that external scanners are limited in their ability to expose server-side vulnerabilities. One classic example of such a vulnerability is persistent cross-site scripting, where the payload is not reflected immediately but lies dormant in a backend database for a future user request to retrieve it.