digg

Facebook Connect Join Digg About

The Security Risk In Web 2.0

news.com.com Security has become a no-brainer for desktop software, but the same doesn't hold true for the booming world of Web applications.

Who dugg this? Made popular Jul 28, 2006

Digg DudeWhat is Digg?

Digg is a place for people to discover and share content from anywhere on the web. Digg surfaces the best stuff as submitted and voted on by the community. Take the Tour to learn more.

34 Comments

show profanity settings
expand all
  • dankosaur, on 10/12/2007, -6/+14say that again in three years.
  • Pile, on 10/12/2007, -0/+6Yes, "Web 2.0" is defined as, "a useless, abstract reference that the tech media uses that for the time being, seems to create a pavlovian-like response from users signifying some equally abstract and ambiguous substance."

    http://BSAlert.com/
  • bbear, on 10/12/2007, -0/+6Everytime someone says "Web 2.0" God kills a kitten. Please, think of the kittens.
  • pumacub, on 10/12/2007, -3/+8How is it a problem in VB.NET but not C#?
  • WhoDey, on 10/12/2007, -1/+5@VTStevenVT (the comment above this one)

    Whoa. Whoa! Are you serious? Do you really think that "SQL Injection" works because it's inserting a comment character into your server-side VB code? You really need to go back to school, man. The problem occurs when characters taken from the user are inserted directly (without cleaning up/parsing) into a SQL statement. I certainly hope it's not possible (and that no real programmer thinks it is) for user input to be inserted into the server-side VB code.
  • inactive, on 10/12/2007, -2/+6By using parameters instead of concatenation it's not a problem at all. I don't follow the c# / vb.net comparison since essentially the differences are syntactic.
  • VTStevenVT, on 10/12/2007, -1/+4@WhoDey

    Ok. It has to go through your SQL statement.

    like in :

    "SELECT * FROM USERS WHERE username = " & txtUserName.text

    would be open to an injection attack, because the userName is taken directly from the text box into the sql statement.

    My point here isn't how/why injection attacks happen, but rather it is an issue fixed from the programmers side, not the Database Administrator's or Server Admin's side. Most programmers rely on DBA and SA security settings to keep malicious code from running and aren't actively programming with security in mind. That is the intent of my example I'm sorry if I didn't get the semantics correct.
  • bignate, on 10/12/2007, -2/+5Saying "never" these days is like painting a target on your back. I'd be willing to bet that if somebody told you ten years ago that your business would rely on the use of a standards-based, unsecured method of communicating text messages across fiber-optic cable (e-mail), you would have said never.

    It's ignorant to assume that one technology or another will never come to dominate a certain market, you just have to keep an eye on things and see where they lead.

    If I had to guess, I would say that in ten years more than fifty percent of the apps we use on a regular basis will be web-based. That includes desktop apps such as Word and Excel.
  • joel2600, on 10/12/2007, -5/+8it's not a problem in c# because c# doesn't use SQL statements, it's powered by the hash symbol (#) ... this makes it much more powerful and completley invulnerable to any sort of attack.

    when you try and submit a " ' or where 1=1" or something into a text box, C# automatically grabs your statement and smashes it into a million pieces. it also will take your IP address, notifiy your ISP, get your contact information, send you a template e-mail from steve ballmer telling you what a douchebag you are, and it will also call your mother and use text-to-speech to inform her that you are trying to do something you shouldn't be.

    the server load is a little big, but it's worth it
  • joel2600, on 10/12/2007, -1/+3nobody is predicting that ALL applications will be delivered over the web. (anyone saying that is drunk or retarded) ... that would require a constant internet connection at all times for you to be able to do anything, and everyone knows that is an impossibility.

    programs are built around users needs and this will never change
    - simple desktop applications for common tasks that require no collaboration
    - client/server applications that do and don't incorporate some web technologies
    - citrix/rd access to applications for distributed access / security control / hardware considerations
  • joel2600, on 10/12/2007, -3/+5at least the article covers the fact that there is no precise definition of what web 2.0 is and is not ... and really the focus of this article is around security issues with 'web applications' as mentioned in the abstract.

    it seems like whenever there is new technology that comes out security is always the last thing on people's minds... either we can't learn from our mistakes, or we'd rather just not front the cost for it up front and just wait and see what falls out.
  • IHatePants, on 10/12/2007, -0/+2Ack! The analogies were horrendous! Let me put just one example into layman's terms:

    1) Traditional web applications submit basic client-entered data to the server. All the work is done on the server, so it tends to be easier to secure an application in the traditional sense. (This doesn't make an app invulnerable, it just somewhat alleviates the issues below.)

    2) "Web 2.0" a.k.a. AJAX/GWT/Atlas/etc applications do a whole bunch of work on the client before they submit to the server.

    3) Users really like it if you warn them of a mistake immediately, versus waiting for a return from the server. (E.g. "That isn't a valid username" or worse, "That isn't a valid password.") Developers like to make customers happy, so they work towards giving immediate responses when they can.

    4) Give someone enough rope and they will hang themselves. "Web 2.0" (oh how I loathe that catchphrase) gives a large amount of rope. With AJAX/GWT/etc you have to validate everything twice. If you only validate on the client, people can easily forge requests that bypass all of your checks. If you only validate on the server, then you haven't bought yourself anything by using any of these nifty tools.

    I'm all for these new nifty web tools. I'm spending all my free time learning them as I see they are going to be the future of web development. I also see a horrendous amount of hacked sites coming up because people will forget to double-validate every piece of information they receive on the server side.
  • SuperGhost, on 10/12/2007, -3/+5We unfortunately still have Symantec and McAfee because people still believe they work... (Bit Defender +1) But the scope of the article relates more to building a secure application, whereas anti-virus scanners stop the tools from exploiting your unsecure application to gain more access to your computer.
  • delinka, on 10/12/2007, -0/+1@VTStevenVT

    You sound like a pooly-informed IT manager. SQL injection has nothing to do with effects on application code - SQL injection can happen in any application that does not sanitize and escape special characters provided as part of user input.

    Here's how it works. Say you have an SQL statement like this
    INSERT INTO customers (Name, ZIP, Age) VALUES ('$name', $zip, $age);
    Now, a user submits:
    delinka', 21202, 25); DELETE * FROM customers; //
    as their name. If $name isn't sanitized, SQL injection has been performed and your customers table is probably empty (hopefully, you've not allowed the application DB user to ever delete data...). So you sanitize user input, the ' gets properly excaped, and the user's first name just contains all the garbage they submitted.

    Strings submitted to a VB.net page are still strings - the ASP interpreter does not think that user input is code to be executed in the app. But that interpreter is *clueless* about SQL. That's why the programmer shouldn't be clueless.
  • palmer, on 10/12/2007, -0/+1""Web 2.0" (oh how I loathe that catchphrase)"

    All intelligent people do. Congrats.
  • merreborn, on 10/12/2007, -2/+3"but I'll tell ya... my company would never use online apps to run their business."

    If you bank at Wells Fargo, take a look at the teller's screen next time you're in the bank. That's right, you just saw IE accessing an internal web-app.
    Part of the problem is that people such as yourself don't see the browser for what it really is: a generic client application. You're no more safer with a client-server desktop application than you are with a client-server web application.

    Yeah, there was a worm that hit Yahoo! Mail. But do you have any clue how many worms have taken advantage of Outlook in the past?

    An insecure application is an insecure application, wether it's it's a web app or a desktop app. If you've got programmers who know what they're doing, it doesn't matter wether what they're developing; it's going to be secure.

    The only difference is it's easier for an idiot to build a web app than a desktop app.
  • fartsammich, on 10/12/2007, -0/+1"but I'll tell ya... my company would never use online apps to run their business."

    Do you dig up earthworms to sell to fishermen down at the docks or something?
  • inactive, on 10/12/2007, -5/+5I hardly consider desktop application security a "no-brainer"... why else do we have Symantec and McAfee?
  • palmer, on 10/12/2007, -0/+0It's not "client-server"; it's client/server. Just like it's not "win-win"; it's win/win. The slash implies a choice or division: two sides. That's why A/C makes no sense for "air conditioning" and N/A makes no sense for "not applicable."
  • josmtx, on 10/12/2007, -0/+0Actually the application framework and / or tools you use should make sure stupid things like SQL injection do not occur in the first place. Some will argue that escaping / sanitizing all query parameters is a performance hit, I would just answer bollocks. If you still build SQL queries by concatenating strings, you belong in the jurassic. Why not using plain strcpy?
  • Nextrix, on 10/12/2007, -0/+0@delinka

    Note that MySQL does not allow stacking of queries so the ;DELETE FROM table attack would not work anyway.

    Personally Web 2.0 or any new technology can always be very usful and secure depending on how the programmer does his job. Most work I have seen is rushed jobs done by freelancers that don't care about security. It is a shame to see flawed coded sites these days.
  • saintnuke, on 10/12/2007, -0/+0@VTStevenVT

    You're incorrect. VB.NET is compiled into IL code before you can execute it. The same IL code as C#. The VB syntax is no longer in the mix at run time. In fact, you can reverse the IL into either C# or VB.NET code, your choice.

    Now having inline SQL in your app code is bad, and has the same vulnerabilities in VB.NET and C#. Stored procedures, with parameters, are the way to go. Inline SQL is a sign of an amateur.
  • MrKite, on 10/12/2007, -3/+2No, I kill people when my boss tells me to.
  • bignate, on 10/12/2007, -3/+2^^^ Agreed. Anybody writing code for use by anyone other than the developer themselves should be using some kind of cleanup function to deal with quotes in their SQL statements. If not for security, for usability purposes. Users are bound to perform a search for "Ted's resume" at some point, and if you code isn't designed to parse that single-quote, the user's going to receive an error message, it doesn't matter WHAT language you're using (and for the record, I program in standard ASP and PHP).
  • MrKite, on 10/12/2007, -4/+2"And we give a rats ass because...?"

    Well you must have if you responded to my post, dumbass.

    "say that again in three years."

    Ok, I guarantee that I will say that again in 3 years.

    "If I had to guess, I would say that in ten years more than fifty percent of the apps we use on a regular basis will be web-based. That includes desktop apps such as Word and Excel."

    Did you ever hear of such a thing called "Client Confidentiality"? Obvisouly your full time job is a softball coach or something equivalent.

    "If you bank at Wells Fargo, take a look at the teller's screen next time you're in the bank. That's right, you just saw IE accessing an internal web-app.
    Part of the problem is that people such as yourself don't see the browser for what it really is: a generic client application."

    Yes, but that's their server they're accessing, not a 3rd party hosted server that offers banking software. It's THEIR SOFTWARE. Get it now?

    Do you people actually think that big name companies with lots of competition would use a 3rd party, web based spreadsheet web site to calculate their 2nd quarterly earnings?? Man, I wouldn't want any of you dumbasses working for me. ;)
  • LouBlobbs, on 10/12/2007, -2/+0custom class to sanitize, verify, and ostrasize the SQL FTW!
  • joel2600, on 10/12/2007, -3/+1the biggest security risk is paying some offshore developer or team next to nothing to develop your software you can be sure it's going to work like garbage and be full of bugs and with no security in mind.

    hey, as long as it 'works' right?
  • optikknight, on 10/12/2007, -5/+0Err.... this comment didn't post correctly. Ignore me.
  • MrKite, on 10/12/2007, -10/+3"Security has become a no-brainer for desktop software, but the same doesn't hold true for the booming world of Web applications."

    Umm, think so?

    Everyone keeps touting Web 2.0 (whatever that means) and online apps, but I'll tell ya... my company would never use online apps to run their business.
  • dred1367, on 10/12/2007, -8/+0I like all the people who are predicting that in the future the net will replace a HD...they say that all programs will be run through a remote desktop over the net from any computer...there was no mention of security precautions in that theory either...
  • pumacub, on 10/12/2007, -12/+4"but I'll tell ya... my company would never use online apps to run their business."

    And we give a rats ass because...?
  • VTStevenVT, on 10/12/2007, -9/+1As a web programmer, this is definately an issue. One of the easiest attacks to guard against is sql injection, but not many web-sites out there do because not many programmers know that it is something they will have to program against instead of pushing the responsiblity to the Database Administrator. Things like this are often overlooked in a crunch for time or another new feature. Sql injection isn't a problem in C#, but it is in VB.NET, so why is everyone using VB.NET? Sometimes choosing the right tool is the key.
  • VTStevenVT, on 10/12/2007, -11/+1The way sql injection commonly works is to type in a ' ( single quote ) and then a sql statement, the ' (single quote) is the single-line comment in VB.NET. This causes the vb code to stop executing and through certain techniques a sql statement can be pushed through. but in C# input strings are delt with differently, and wont screw up things. Most commonly this attack is used in search bars and text boxes. Try putting a ' (single quote) in digg's search bar, it will say "invalid character", or something, because digg is smart enough to guard against this attack and many like it that use invalid characters to push statements through input boxes.
  • inactive, on 10/12/2007, -14/+0Lol, thats awesome.

  • Add a Comment

    Login or register to comment!
    Or, sign-in super fast with your Facebook account ...


© Digg Inc. 2009 — Content created and posted by Digg users is dedicated to the public domain | Terms of Use Updated | Privacy Policy
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.