Two Common Security Problems in Web Applications

Although there is seemingly an infinite number of security weaknesses in web applications, according to Huseby the majority of these weaknesses may be grouped into just two categories:

Failure to Deal with Metacharacters of a Subsystem

A metacharacter is a character that is not treated as plain text in Web applications. They usually represent control information used to pass data between modules. Metacharacters can be created, altered, end injected into a shell command environment hosting the Web applications, a back end database server providing data access to the Web application, or simply the code in a Web application itself. Attacks in this area include developers include:

  • SQL Injection
  • Cross-site Scripting (actually HTML Injection)
  • XML Injection, XPath Injection
  • LDAP Injection
  • C Null-byte Injection
  • Other injections problems including the seldom-described Legacy System Injection

Authorization Problems Due to Giving Too Much Trust in Input

Authorization is central to the security control to decide and validate if an entity (a user or a program) has access to a resource. In Web applications, various types of input such as URL, querystrings, cookies, or session data can be stolen and tampered to bypass the authorization. This category isn't filled with cool-named attacks, because the problems are very application specific, and do not target a standard technology with a recognized name.

Source: WASC Article by Sverre H. Huseby