PART II
Chapter 7: Security Concerns 289
/actions/dologin, could it accept a GET query string as well? They might try to see if a
previous version of the program is hosted by adding extensions like -old or -bak. They
might add fields of their own to see how the server-side program will address the extra
data. If they inspect the header stream in this request, they may see Cookie values and see
if they can discern how such values are generated. They might save the hidden field or
cookie value from a previous day and see if it can be used at a much later time without
complaint.
You really have no idea what intruders might dream up as an input or manipulation to
your forms, URLs, and headers. Given the simple truth that Web application intruders
manipulate any and all inputs they can find, the only countermeasure is to not trust inputs
and to filter or reject data that is not within allowed constraints. A number of common Web
application data attacks are reviewed in Table 7-2. Note that most of them are trust concerns,
and the countermeasures dominantly focus on input filtering and sanitation issues.
Typically, in anything beyond the simplest application, there are different degrees of
trust. There may be some content or features accessible to the public, some to authenticated
users, and some to authenticated privileged users like administrators. An intruder oftenAttack Name Goal How It Is PerformedPossible
Countermeasures
SQL injection To gain access to a
backend database
that powers a
Web application or
manipulate or show
some protected data
in this system.Very often form data or even URLs
are tied directly to SQL statements
used to retrieve data. For example,
given a URL like http://
ajaxref.com/
showarticle?id=5, you might
imagine the backend to perform a
simple SQL query likeselect * from articles
where id = 5;If the URL keys are just passed
to the queries, it would be not
difficult at all to change the ID
value or even do something a
bit nastier like ?id=5 OR 1=1,
which would dump the whole table.If the database is accessed by
the Web application in a privileged
mode, SQL injection can be even
more dangerous, especially if
SQL statements to drop tables or
create accounts can be appended
to data submission.Sanitize all inputs
coming in that will
be placed in SQL
statements for correct
size and type.Do not use a privileged
account for database
access from the Web
application.TABLE 7-2 Sampling of Web Application Data Input Attacks