|
At our November 2007 meeting,
Ben Whaley of
Applied Trust Engineering
gave a talk on developing secure Web applications.
Ben focused on two common areas of vulnerability: cross-site scripting
and SQL injection. Cross-site scripting (XSS) is a Web application
security vulnerability which allows code injection by malicious Web
users into the Web pages viewed by other users. Such a URL even can
contain Javascript code that performs some action automatically to
give the hacker what they want, including access to your cookies. SQL
injection is possible when the back-end software processing form
variables doesn't do adequate checking of parameters, allowing the
hacker to execute SQL code directly through the back-end database.
Successful SQL injection attacks can give hackers the ability to
amplify their privileges, obtain customer or personal information, and
even insight into the datbase schema that can be leveraged in
subsequent attacks.
Ben presented these two areas of vulnerability through a series of
examples with tools that hackers use, and that you can use to assess
your own Web application security. Ben used Microsoft Fiddler to view
and modify form information as a way to inject dangerous SQL
statements. This tool also demonstrated the futility of client-side
form variable validation. Ben demonstrated how SPIKE proxy, an
open-source tool with a very simple user interface, can do a powerful
job at automatically testing for SQL injection vulnerabilities.
Ben's slides are available
here (PDF).
|
