For many years we have all come to see the fact that the network systems are flawed. TCP/IP is not perfect and was not designed for secured transmissions. Appletalk or IPX/SPX for all you apple and novell fans waiting around for a comeback will not make things better. There are some that believe that we are getting good at discovery and blocking these types of attacks. After that came the OS attacks, how lovely those easy buffer overflows were to find and exploit. One day you may even here me do my best impression of 'who's a good boy' pet, except instead of my dog it may be to MS03-026, but I digress. Now that we are going further into the stack we keep hearing that one day the web will be our operating system. I am hopeful that won't be the case in a strange way.
Web Application Security is a pretty hefty subject. Let's look at the components first to get a better understanding. The server side can run a multitude of servers to give you the ability to deliver web based content. Apache, IIS, Websphere, and even custom servers all appear frequently. Now this conversation will not pertain to vulnerabilities within the service lets look higher in the stack. In the same token you have a multitude of browsers now, Internet Explorer, Mozilla Firefox, Safari, Opera, Google Chrome and more. They can all render web traffic out of the box. The problem isn't necessarily this architecture but let's dig further.
The web servers are now able to deliver 'dynamic content'. As end users we love dynamic content, as pen-testers we LOVE dynamic content, and as defenders we have NO LOVE for dynamic content. How can we deliver this content? If you are an open source proponent you think, what about LAMP or WAMP. LAMP stands for Linux-Apache-Mysql-PHP/Perl/Python/Etc, and WAMP is the Windows equivalent. Most organizations are now focusing on .NET Framework. For some reason we are still kick around Java.
...Oh yeah AJAX too...
So lets get back to this idea of dynamic content. Computers love code, they LOOOVE to run whatever you give it. In the web application space this becomes precarious because the code that the browser will automatically render and run, or the code that the server will process and run, can actually allow for 'exploitation' without 'exploitation' in a strange sort of way. Since this is an introduction with more 'parts' to come lets explore this.
You have a browser that automatically renders Javascript and PHP code. You have your browser go to a malicious site which allows for an 'attacker' to hook your browser and control its interactions through JavaScript code. Assume that the actions in which the 'attacker' is using to control your browser is now not considered 'dangerous'. It looks like regular http based transactions and will look like perfectly normal javascript and delivered to your device. This type of system will most likely be re-rendered through a proxy, ignored by IPS systems, and if the site is considered 'safe' content filters will allow it as well. In addition most host IPS's will allow for this to pass as long as the content delivered is not doing something 'malicious' to the system like deliver an actual exploit to a service.
So then the question I pose to you is, If a giant multi-billion dollar, multi-national corporation like Microsoft cannot fully fix all the security problems within their paid for software, how are we to expect that custom application code running on web servers and rendered on your browser are not going to have issues? Insecurity Yet?
I welcome feedback and discussion!
