Assessing Internet Security Risk, Part Five: Custom Web Applications Continued

    Date09 Oct 2002
    3621
    Posted ByAnthony Pell
    This article is the fifth and final in a series that is designed to help readers to assess the risk that their Internet-connected systems are exposed to. In the first installment, we established the reasons for doing a technical risk assessment. . . . This article is the fifth and final in a series that is designed to help readers to assess the risk that their Internet-connected systems are exposed to. In the first installment, we established the reasons for doing a technical risk assessment. In the second article, we started to discuss the methodology that we follow in performing this kind of assessment. The third part discussed methodology in more detail, focussing on visibility and vulnerability scanning. The fourth installment discussed a relatively unexplored aspect of Internet security, custom Web applications. This article will conclude the discussion of security risks of Web applications.

    A detailed discussion of all the possible vulnerabilities associated with custom Web applications would be somewhat beyond the scope of this paper. What I've done instead is to list and describe all the categories. I'll then single out some specific instances and describe them in more detail as examples.

    A common mistake in developing Web applications is to make assumptions about the inputs that user will provide, whether it is done manually or via some automated process. Manual inputs include the data entered by users into fields and forms. Automated inputs are submitted without the user being directly involved and include things like cookies, URLs and hidden HTTP fields. Nothing that is provided by the user should ever be trusted and an application that does so is opening itself up to abuse. Possibly the most significant category of attack that stems from inappropriate input sanitation is SQL Injection.

    You are not authorised to post comments.

    LinuxSecurity Poll

    Do you reuse passwords across multiple accounts?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 2 answer(s).
    /component/communitypolls/?task=poll.vote
    13
    radio
    [{"id":"55","title":"Yes","votes":"5","type":"x","order":"1","pct":45.45,"resources":[]},{"id":"56","title":"No","votes":"6","type":"x","order":"2","pct":54.55,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.