Web Apps: A Security Risk?

In a recent report, security consultants with Context Information Security revealed that two thirds of web apps are a security risk when it comes to cross site scripting and one in five risk being attack by SQL interjections. The report also suggests that the average number of vunerabilities is up per web app, offering cause for concern.

Should we, web app users, be concerned ourselves over the security concerns? Let’s investigate!

What Are The Risks?

What is cross-site scripting and what are SQL interjections? In order to understand the risks, we need to know what the terminology means.

Cross-site scripting, also referred to as XSS, allows a malicious party to execute client-side code through a web page that isn’t theirs. Because the injected code appears to come from the trusted website, it will be executed without issue, allowing malicious actions to be ran for the end user. Here’s an example courtesy of Wikipedia.

  1. Mallory posts a message with malicious payload to a social network.
  2. When Bob reads the message, Mallory’s XSS steals Bob’s cookie.
  3. Mallory can now hijack Bob’s session and impersonate Bob.

An SQL interjection is somewhat similar to an XSS attack. Here, an SQL command is entered into a web application by a malicious party which is then passed on and executed as part of a script in the app. The xkcd comic, Exploits of a Mom, parses this exploit into a more comedic form.

Exploits of a Mom

Image courtesy of xkcd.

This xkcd comic, “Exploits of a Mom”, shows an SQL interjection in use. In this case, by appending an SQL command onto the end of a regular piece of data being entered into a form field, the particular table in the database has been dropped.

Generally, we can expect native apps to be somewhat safer than web apps because they’re normally more closed off, and sometimes sandboxed to separate them from other running programs. However, the web is a much more open platform that can be more vulnerable to attacks and, unlike native apps on a specific platform, individually need to stay up to date with patching flaws.

Surely Not The Big Guys?

Most web users will use not only big or small applications, they’ll use a mixture. Even though the big guys, such as Google, probably have more money and resources to invest into security, they are still susceptible to attacks. In June last year, Gmail was hacked and account details were revealed, demonstrating how using most services encounters a level of risk.

If big services like Gmail with a lot of security resources can fall to attacks, then surely smaller apps can too? Sure. However, less popular apps are likely less popular targets for hackers, even though they might be easier victims.

Google pays out $500 every time a user finds a security vulnerability in one of participating services. (terms and conditions naturally apply)

Fortunately, Google, at least, is taking security seriously by crowd-sourcing it. In November 2010, Google launched a “vulnerability reward program” whereby they’d pay for security bugs in Google, YouTube, Blogger and Orkut to be discovered by users. A base reward of $500 is offered per qualifiying bug, with more severe ones being paid as much as $3,133.70. If anything, that’s certainly more tempting to do than using your knowledge of a vulnerability to leak data (money and Google cred!).

Should We Be Worried?

The real question for most of you isn’t how hackers do it, but rather, should I be worried?

The web is a fantastic platform and is far less constrained than native ones (both desktop ones like Windows and Mac OS X and mobiles ones like Android and iOS), but that also means the barriers to malicious parties are weaker. There’s always cause for concern on the web and I don’t think we can ever be really confident that our data is safe on this particular platform. As evidenced by data leaks from big companies, including Sony, Google and AT&T, even the services that we’d assume would have a lot of security in place can still let your data fall into the wrong hands.