Developing Secure Web Applications

At our November 2007 meeting, Ben Whaley of Applied Trust Engineering gave a talk on developing secure Web applications.

Ben focused on two common areas of vulnerability: cross-site scripting and SQL injection. Cross-site scripting (XSS) is a Web application security vulnerability which allows code injection by malicious Web users into the Web pages viewed by other users. Such a URL even can contain Javascript code that performs some action automatically to give the hacker what they want, including access to your cookies. SQL injection is possible when the back-end software processing form variables doesn't do adequate checking of parameters, allowing the hacker to execute SQL code directly through the back-end database. Successful SQL injection attacks can give hackers the ability to amplify their privileges, obtain customer or personal information, and even insight into the datbase schema that can be leveraged in subsequent attacks.

Ben presented these two areas of vulnerability through a series of examples with tools that hackers use, and that you can use to assess your own Web application security. Ben used Microsoft Fiddler to view and modify form information as a way to inject dangerous SQL statements. This tool also demonstrated the futility of client-side form variable validation. Ben demonstrated how SPIKE proxy, an open-source tool with a very simple user interface, can do a powerful job at automatically testing for SQL injection vulnerabilities.

Ben's slides are available here (PDF).

February 15, 2009

February 2008: FRUUG Enters Quiescent Phase
After 27 years running, we're suspending operations.

