Web application security is undoubtedly a top priority and a topic worthy of attention. This issue is of vital importance to all parties involved. The parties involved here include companies with growing Internet business income, users who entrust sensitive information to Web applications, and criminals who steal huge amounts of money by stealing payment information or hacking into bank accounts. Reliable reputation is also very important. No one wants to trade with unsafe Web sites, and no organization wants to disclose details about its security vulnerabilities or violations. Therefore, obtaining reliable information on the current security status of web applications cannot be underestimated.
This chapter briefly introduces the development history of Web applications and the many advantages they provide, and lists the vulnerabilities that we have personally experienced in current Web applications. These vulnerabilities indicate that most applications are far from secure. This chapter will also describe the core security issues faced by Web applications (that is, the issue where users can submit arbitrary input) and the various factors that cause security issues. Finally, discuss the latest development trend of Web application security and predict its future development direction.
The development history of
Web applications
In the early stages of the Internet's development, the World Wide Web consisted only of Web sites, which were basically information libraries containing static documents. Then people invented the Web browser, through which to retrieve and display those documents. This kind of related information flow is only unidirectionally transmitted from the server to the browser. Most sites do not verify the legitimacy of users because there is no need to do so; all users are treated the same and provide the same information. The security threats brought about by creating a Web site are mainly related to (many) vulnerabilities in the Web server software. The attacker cannot obtain any sensitive information by hacking the Web site because the information stored on the server can be viewed publicly. Therefore, attackers often modify files on the server to distort the content of the Web site, or use the storage capacity and bandwidth of the server to spread "illegal software."
Today's World Wide Web is completely different from the early World Wide Web. Most sites on the Web are actually applications. They are powerful, two-way information transfer between the server and the browser. They support registration and login, financial transactions, search, and user-created content. The content acquired by the user is generated in a dynamic form and can often meet the special needs of each user. Many of the information they handle is private and highly sensitive information. Therefore, the security issue is of paramount importance: if people think that a web application will leak their information to unauthorized visitors, they will refuse to use the web application.
Web applications bring new major security threats. Each application is different, and the vulnerabilities contained are also different. Many applications are developed independently by developers, and the developers of many applications only know a little about the security issues that may be caused by the code they write. In order to achieve core functions, Web applications usually need to establish connections with internal computer systems. These systems hold highly sensitive data and can perform powerful business functions. Fifteen years ago, if you need to transfer money, you must go to the bank and let the bank staff help you complete the transaction. Today, you can access the bank's web application and complete the transfer transaction yourself. Attackers entering the web application can steal personal information, commit financial fraud, or perform malicious actions against other users.
Common functions of web applications
The purpose of creating a web application is to perform any useful function that can be done online. The main functions of some web applications that have appeared in recent years are:
Shopping (Amazon);
Social network (Facebook);
Banking services (Citibank);
Web search (Google);
Auction (eBay);
Betting and speculation (Betfair);
Blog (Blogger);
Web mail (Gmail);
Interactive information (Wikipedia).
Nowadays, the functions of applications accessed using computer browsers increasingly overlap with those of mobile applications accessed using smartphones or tablets. Most mobile applications communicate with the server through a browser or custom client. Most of these browsers or clients use HTTP-based APIs. Application program functions and data are usually shared between various interfaces used by the application program for different user platforms.
In addition to the public Internet, Web applications have been widely adopted within organizations to support key business functions. Many of these applications can access a variety of highly sensitive data and functions.
Users can use the HR application to access salary information, provide and receive performance feedback, as well as managerial recruitment and disciplinary procedures.
Connect the management interface of key architectures (such as Web and mail servers), user workstations and virtual machine management.
Collaboration software for sharing documents, managing workflows and projects, and tracking issues. These functions usually involve important security and regulatory issues, and most of the organizational structure completely relies on the controls built into their Web applications to implement these functions.
Business applications such as enterprise resource planning (ERP) software, which used to be accessed using dedicated thick client applications, can now be accessed through a web browser.
Software services such as e-mail, which initially required a separate e-mail client, can now be accessed through a web interface (such as Outlook Web Access).
Traditional desktop office applications (such as word processing programs and spreadsheets) have been converted to web applications through services such as Google Apps and Microsoft Office Live.
In order to reduce costs, organizations are gradually outsourcing various tasks to external service providers to complete, so in all the above examples, what we think of as "internal" applications are increasingly being hosted by external agencies. In these so-called "cloud" solutions, business-critical functions and data are open to a larger number of potential attackers, while organizations increasingly rely on security defenses beyond their control.
The client software that most computer users need is just a Web application, and this era is coming. At that time, users can perform various functions using a shared set of protocols and technologies, but various common security vulnerabilities will follow.
Advantages of web applications
The reasons for the increasing popularity of web applications are obvious. Several technical factors have been combined with major business motives, which has triggered major changes in the way the Internet is used.
HTTP is the core communication protocol used to access the World Wide Web. It is lightweight and requires no connection. This provides fault tolerance to communication errors. With HTTP, the servers in many traditional client-server applications no longer need to open network connections to every user. HTTP can also be transmitted through proxy and other protocols, allowing secure communication under any network configuration.
Every web user has a browser installed on his computer and other mobile devices. The web application dynamically deploys the user interface for the browser, without the need to allocate and manage independent client software like previous web applications. The interface change only needs to be executed once on the server, and it takes effect immediately.
Today's browsers are very powerful and can build rich and satisfying user interfaces. The web interface uses standard navigation and input controls to ensure that users are immediately familiar with these functions without the need to learn how to use various applications. The application program can transfer part of the processing to the client through the client-side script function, and if necessary, the thick client-side component can be used to arbitrarily extend the functions of the browser.
The core technology and language used to develop Web applications are relatively simple. Even beginners can use various existing platforms and development tools to develop powerful applications. There are also a large number of open source codes and other resources for integration into customized applications.
