The Linux Ninja

The  number of  XSS, XSRF,  command injection, and SQL injection vulnerabilities in popular web applications has seemed to be increasing alot over the last year and I am left wondering why these things keep popping up (and I also wonder why it’s take me a month to finish this rant ).

Seeing all these web application vulnerabilities keep popping up has given me a sense of deja vu. I am reminded of many years ago when there were buffer overflows, heap overflows, etc  galore. Functions like strncpy() were pointed to as replacements to the non-length checking string copying function strcpy() that helped mitigate the vulnerabilities. These functions weren’t used well so Intel and AMD started building in no-execute support into the stacks on their processors so now a buffer overflow would not execute any shell-code that was thrown on the stack via input.

Twitter has been rife with these vulnerabilities and even Facebook has not been immune (nor has the FBI jobs site). The WordPress blogging software that I use even has numerous critical vulnerabilities. Even scarier, there was even a sex offender registry that was vulnerable to a SQL injection attack that exposed information and could have been used to add persons who did not belong in the registry. Which leads me to the question: why is there (still) not proper input validation ?

I think a large part of the problem lies in the education methods people use: I was never taught one ounce of secure programming technique in undergrad or grad school and the only books I’ve seen talk about secure programming are books that are only about secure programming. Many of the professors just didn’t seem to be interested or knowledgeable enough about security to include it in their lesson plans. Most employers care more about fast results than they do about giving you time to audit your code. I haven’t seen these topics covered in the tech books that a large portion of people use to being learning the dynamic languages that these web applications are built off of. I first learned from many of these same books and they are great are getting you up and running on your first web application. Unfortunately they also fail to cover the things that anyone building a web application (or programming in general) needs to know: how to properly filter your input so you don’t expose your users information or expose their browsers to numerous exploits. PHP provides great functions like htmlspecialchars(), stripslashes(), and mysql_real_escape_chars() to help prevent things like persistent XSS and SQL injection.

There are more and more Web Application Firewalls (WAFs) that are trying to help mitigate these vulnerabilities but we can’t just depend on these. We need to figure out ways to show project managers and programmers the value of programming it securely the first time and getting topics on how to program securely inserted early into the education of future programmers and proejct leaders.  OWASP does a great job of education but I don’t know of anyone outside of the security community that really knows about OWASP. The guys running the month of facebook bugs over at Social Media Security have done a great job illustrating how many of these third party facebook applications have very serious vulnerabilities in them. Yet most of my facebook friends still send me requests to constantly add applications, many of which I saw in the month of facebook bugs.

Users as a whole need to also demonstrate a willingness to care about security enough to make it worth the developer’s time to properly secure their web applications so they don’t suffer the consequences of bad programming. This can be done by withholding website visits & clicks, public outcry, or switching to another service. Of course, it can be difficult  (most likely impossible) to just switch to a different service because it can be very hard to convince friends to come along, re-establish all your existing connections , export all your information to the new service, and make sure all your information is removed from the old service. Withholding your visits and clicks will probably hurt you just as much as the site if you don’t have anywhere else to go and public outcry only does so much to make a company change its policies.

I don’t know when we will get to the point where we can truly trust our web applications to be secure or how exactly that will happen, but I do believe that it absolutely has to happen. Too many things go over the internet and through web applications for this to not be a very important issue that needs more public attention (and not the sensationalized CNN/Fox News/MSNBC type). So thanks for reading through my rant and if you have any thoughts or suggestions please share below…