In the last few years a rising number of web programmers and developers have started understanding that the codes they write do play a major part in the overall security of a website. Despite the fact that the administrators install firewalls, which keep off-the-shelf software with updated and secure communication along important encryption, there are also various ways to hit the logic of the custom made application code itself.
There are apparently an unlimited number of diverse logical glitches that possibly will direct to vulnerable security problems in a web application. But even though the number of glitches may be countless, many of the most regularly happening glitches may be put in one of the following rather restricted set of categories:
Malfunction to deal with meta characters of a subsystem
Approval problems due to giving too much trust in input
That’s only two categories, and they wrap up much of the web application security buildup available in the last 7-8 years or so. Today, many developers are well-known with an attack called SQL Injection.
Some are also well-known with Cross-site Scripting – actually HTML Injection. There’s also XML Injection, XPath Injection, LDAP Injection, C Null-byte Injection, and a plethora of other injection problems, plus the seldom-described Legacy System Injection. They’re all part of the “malfunction to agreement with meta characters of a subsystem” category.
The best part about SQL Injection is that it mutely passes through all the layers of firewalls and does its work profound inside the system. It’s not limited itself to shutting down servers. Everything achievable through SQL can be probable through SQL Injection, incorporating fetching, modifying and deleting information. Most of the developers knew how to protect against both SQL Injection and Cross-site Scripting.
Actually, they hadn’t taken a step back and appreciated what made those attacks possible. If they had, they would have thought “meta character problem” as soon as they begin using the semicolon as a delimiter. The first step in the fight against meta character problems, is to recognize when certain characters become meta characters. This characteristically happens when developers join data and control information and pass them on to some scanner. Perceptibly, an SQL statement will be parsed when sent to a database server and an HTML document will be parsed when sent to the user’s browser. But there are less clear parsers or scanners as well. As an example, when working with strings in programs written in C, a null-byte will mark the end of the string.
Many common security problems in custom web applications development may be avoided if programmers learn and focus on two things while coding: First that every single piece of input to the application is under the user’s control, and second that much subsystem may give special meaning to definite characters in the data.
When security counts, count on PLAVEB.