h1

Web Application Vulnerabilities

January 11, 2009

As programmers add increased functionality to Websites and Web browsers, the potential for security vulnerabilities increases. The biggest danger is the tendency toward integrating the Web browser functionality with other computer applications and even the operating system (O/S) itself. This means if a Web browser security vulnerability is exploited, an authorized user has access to the core system files and data of someone’s computer. The following outlines some of the more popular Web application components and the security vulnerabilities they might create.

JavaScript

JavaScript is a scripting language created by Netscape but it isn’t related to the Java programming language. JavaScript’s code isn’t compiled; instead, it’s interpreted by the Web browser. JavaScript can interact with HTML source code, enabling Web authors to create Websites with dynamic content.
Since the appearance of JavaScript, the language has been plagued with security issues. The problems originate from the nature of JavaScript, which allows executable content to be embedded in Webpages. These vulnerabilities include the capability for hackers to read files on a user’s hard drive, and to monitor and intercept a user’s Web activities. Security precautions are required to prevent malicious code from entering, executing, and retrieving data from the underlying systems.
The insecurities of Web browsers that implement JavaScript, rather than its language, are the source of the vulnerabilities. Most security problems discovered in JavaScript implementations require the installation of software patches from the Web browser vendor. JavaScript can also be disabled on your Web browser as an option. Check your Web browser options to disable or enable the use of JavaScript for Websites you access.

Java

Java is an object-oriented, platform-independent programming language created by Sun Microsystems. Java is typically used on Internet Websites to provide small programs called applets, which can be downloaded to a user’s Web browser. Because Java is platform-independent and can run on any type of machine or O/S), it requires the use of a Java Virtual Machine (JVM) to convert the program to the code understood by the local machine. Java programs run in their own special area, called a sandbox, which restricts the applet’s access to certain parts of the system. This prevents malicious or buggy software from accessing critical parts of your system. Hackers, however, are able to program applets that can bypass the security features of the sandbox and can access the data on users’ hard drives. For added security, most Web browsers can be configured to allow only certain access privileges to Java programs.

Signed Applets

Signed Java applets are programs that are authenticated through the use of a digital signature that provides information on where the applet originated. The Web browser reads this signature and checks to see if it comes from a known, trusted source. This allows an applet to have less restrictions put on its operations, as would a normal unsigned applet. An authenticated signed applet is usually given more access over O/S functions to perform an application.

ActiveX

ActiveX is a technology created by Microsoft to create reusable components across Windows applications. This includes increasing the functionality of Internet applications. Similar to components created with Java, ActiveX components can be downloaded to the computer through the Web browser. Unlike Java, which has software controls that only allow programs to run in a certain area of memory and influence. ActiveX functions are controlled by the users themselves. This requires the need for greater security controls because a malicious ActiveX component can be downloaded that could comprimise the security of your system. Users must be more careful when configuring their Web browser to control ActiveX programs.
For Web browsing security, ActiveX uses a form of authentication control based on security levels. The user’s Web browser can be configured to set a certain security level at which ActiveX controls can operate. The lowest level allows all ActiveX components to be downloaded automatically. Increased levels provide warning dialog boxes to alert you of an ActiveX element and enable you to download it or not. ActiveX relies on digital certificates and trusting certificate authorities to authenticate the origin of ActiveX controls.
As always, your Web browser should be updated to the latest version, so the most recent security controls are in place and any previous security vulnerabilities are removed.

Buffer Overflows

Buffer overflow is a programming term used to describe when input data exceeds the limits recognized by a program. For example, a program might only be expecting a certain amount of characters in an input dialog box. If the amount of characters exceeds the limit, the added information might also be processed. This extra code could be malicious in nature and cause the program or even the entire system to crash.
For Internet Web applications, this buffer overflow vulnerability is a common security concern for Web servers and Web browsers. A malicious Web server set up by a hacker can crash the systems of the users connecting to that Website by sending various HTTP buffer overflow data streams to the client. Similarly, a hacker using a simple Web browser can send certain HTTP data to a Web server that overflows its software buffers and crashes the Website.
Buffer overflows are mainly caused by bad programming, which allows illegal data to be entered into the application. Software, especially Internet applications, should be carefully programmed to accept only certain types of data. You should ensure that all your software is current with the latest software patches and service packs to prevent these types of errors. Patches can be downloaded from the software vendor’s Website and installed onto your computer to fix the application.

Cookies

Cookies are special files saved on your computer when you visit a Website. A cookie is used to save information particular to that Website. Cookies are typically used by Websites for tracking demographic or user-specific information pertaining to that site. This information can be used by the Websites themselves or for advertising purposes. For example, the first time you visit a Website, you could be required to register by filling out a Web form. Some information from this form is saved on your computer as a cookie. If you specified your age and gender, this information is read from the cookie the next time you visit that site and the next time you visit that site and the advertising is altered accordingly for your demographic group.
Most cookies contain relatively harmless information, but some of them could contain usernames or passwords for certain Internet and Website accounts. Cookies of this nature are usually encrypted by the distributing site, but those that aren’t are vulnerable to unauthorized users accessing this information.
Most Web browsers let you customize the capability to use cookies or enable more strict controls on their use. Cookies can be disabled completely, but this could cause certain Websites not to work at all in your Web browser.

CGI

Common Gateway Interface (CGI) scripts are programs designed to accept and return data that conforms to the CGI specifications. The programs are typically written in scripting languages, such as PERL, and are the most common way for Web servers to interact dynamically with users. Webpages that contain forms typically use a CGI program to process the form’s data once it’s submitted.
A security concern with CGI is this: each time a CGI script is executed, a new process is started. For some Websites, multiple CGI requests can noticeably slow the server. CGI scripts also are vulnerable to programming bugs, so they should be written with the same care and attention as any software application.
Poorly-programmed CGI scripts can intentionally or unintentionally provide information about the host system that can aid hackers in accessing the Web server. Scripts that utilize user input from Web forms can be used against the client machine. For example, on a server system, a subverted CGI can be used to run malicious code as a privileged user and provide unauthorized access to any part of the system, including sensitive user data, as well as logins and passwords. Another concern of CGI scripting is the capability of the user to input data that can be used to attack the Web server through buffer overflows and malformed requests.

Advertisements
%d bloggers like this: