Web Application Security for Beginners

Many security incidents today stem from insecure web applications. In this article Marc describes the first cardinal rule in web application development: Input validation.

As an IT security consulting firm, one of the services that we often deliver to our clients is penetration testing - otherwise known as "ethical hacking". During an ethical hack we typically have a week to get into the computers of our client in any way possible.

Whilst in the past we found badly configured web servers, insecure server daemons and default passwords to be the most common entry points; nowadays almost invariably we are gaining access to customers' systems through their custom web applications.

Web application development is easy, and it is getting easier. There are thousands of tools and technologies available to assist in the process of delivering a web application quickly and efficiently. These tools help us to produce web applications that perform a specific function, and perform it well; security is however generally left up to the developer.

In this article we are going to describe the single most important step you can take to make your web applications secure: data validation. In fact if there is a single thing I could say to every developer whose application I have audited, it would be to validate, validate, validate!

Did I mention that you should validate? We are of course speaking about input validation here, that is the process of checking all input to your web applications before using that input anywhere. This is the most fundamental yet most important aspect of web application programming. You should never make use of data that your application sources from the Internet or a user without first confirming that the data is of an acceptable format and within acceptable bounds.

A common trap to fall into is to say "but I've client side Javascript verifying my input" or "its ok, all of the secret information is in hidden form fields": in reality though these client side protections are insufficient - you need to be checking all data at the server side as well.

So what sort of validating are we speaking about? Lets take an example of a phone number: we know that a phone number by its very nature is going to contain numbers, and perhaps spaces, parenthesis and hyphens. Anything else is likely to be a mistake or someone up to no good. Therefore in our web application, when we receive this information from the user we should confirm that it is made up of only numbers, spaces, parenthesis and hyphens.

You may be asking, "Why does it matter if someone enters a phone number incorrectly". Well let's use an example to show how a common method of web application attack (and SQL Injection attack) can be stopped through some simple data validation.

SQL Injection

Imagine now that I have a form with a single field on it (my telephone number field) and a submit button. When submitted my web application takes the phone number, and uses it to query a database and get a customer's details.

Image now that a malicious user decides to bypass my client side data validation and to send something like "(02) 8234 4000 or 1 = 1" as their phone number. Imagine that in my web application I had something like:

$sql = "select * from customer where phone_no = $phoneNoFromField";

Now in normal circumstances when I executed this SQL I would end up with the details of a single client - i.e. the expected result. In the case where my attacker has submitted the malicious phone number above, they may well end up with a complete list of all customers from my database, as the SQL statement 1 = 1 will be true for all rows in my customer table.

Some basic data validation would soon have seen that "or" and the "=" symbol were not expected, and alerted us that we should avoid using this data.

In general input should be validated on as many of the following attributes as possible:

  • Data type (string, integer, real, etc.)
  • Allowed character set (ASCII, Unicode)
  • Maximum and minimum length
  • Null or not null
  • Numeric range
  • Enumeration (e.g. value must be true or false, or must be one of several options)
  • Patterns (e.g. regular expressions)

So start checking you input today: more than likely you will find it useful to develop a set of validation routines, as you'll soon find yourself writing the same code over and over as you check every variable that enters your web application.

One final note: the only way to know if you are really secure is to check, so check out some of the links below on how to test your application's security, or get a professional to help out.

Useful Links:

The Open Web Application Security Project (of special interest, the Top Ten Most Critical Web Application Security Vulnerabilities, the OWASP filters project and the application testing guidelines).

Keywords : ethical hacking, security, input validation, web application, php, asp, j2ee, java

Related links

Author : Marc Bown - marc.bown@safecoms.com.au Marc is the Principal Security Consultant for Safecoms Secure IT, a leading Australian information systems security organisation. Safecoms are experts on a range of information systems security topics, and can be found at http://www.safecoms.com.au/.