⭐

SSL^[1](Secure Socket Layer) is an excellent technology that protects the confidentiality（机密性） and integrity（完整性） of data in transit between the user’s browser and the web server. It helps defend against eavesdroppers, and it can provide assurance to the user of the identity of the web server he is dealing with. But it does not stop attacks that directly target the server（服务器） or client components（客户端组件） of an application, as most successful attacks do. Specifically, it does not prevent any of the vulnerabilities just listed, or many others that can render an application critically exposed to attack. Regardless of whether they use SSL, most web applications still contain security flaws.

1.1The Core Security Problem:

The application must assume that all input is potentially malicious（恶意）. Therefore, it must take steps to ensure that attackers cannot use crafted input to compromise the application by interfering with its logic and behavior, thus gaining unauthorized access to its data and functionality.

This core problem manifests itself in various ways:

• Users can interfere（干预） with any piece of data transmitted between the client and the server, including request parameters（请求参数）, cookies, and HTTP^[2](HyperText Transfer Protocol) headers. Any security controls implemented on the client side, such as input validation checks, can be easily circumvented.
• Users can send requests in any sequence and can submit parameters at a different stage than the application expects, more than once, or not at all. Any assumption developers make about how users will interact with the application may be violated.
• Users are not restricted to using only a web browser to access the application. Numerous widely available tools operate alongside, or independently of, a browser to help attack web applications. These tools can make requests that no browser would ordinarily make and can generate huge numbers of requests quickly to find and exploit problems.

1.2Key Problem Factors

• Underdeveloped Security Awareness

• Custom Development

• Deceptive（欺骗性的） Simplicity

  • there is a huge difference between producing code that is functional and code that is secure. Many web applications are created by well-meaning individuals who simply lack the knowledge and experience to identify where security problems may arise.
  • A prominent trend in recent years has been the use of application frameworks that provide ready-made code components to handle numerous common areas of functionality and integration with common back-end infrastructure components. These products make it quick and easy to create working applications without requiring a technical understanding of how the applications work or the potential risks they may contain. This also means many companies use the same frameworks. Thus, when a vulnerability is discovered, it affects many unrelated applications.

• Rapidly Evolving Threat Profile

• Resource and Time Constraints

• Overextended Technologies

• Increasing Demands on Functionality

  • Modern sites may include password recovery, username recovery, password hints, and an option to remember the username and password on future visits. Such a site would undoubtedly be promoted as having numerous security features, yet each one is really a self-service feature adding to the site’s attack surface^[3].

1.3The New Security Perimeter

Before the rise of web applications, organizations’ efforts to secure themselves against external attack were largely focused on the network perimeter. Defending this perimeter entailed hardening and patching the services it needed to expose and firewalling access to others.

Web applications have changed all this. For an application to be accessible by its users, the perimeter firewall must allow inbound connections to the server over HTTP/HTTPS. And for the application to function, the server must be allowed to connect to supporting backend systems, such as databases（数据库）, mainframes（大型主机）, and financial and logistical systems. These systems often lie at the core of the organization’s operations and reside behind several layers of network-level defenses.

If a vulnerability exists within a web application, an attacker on the public Internet may be able to compromise the organization’s core backend systems solely by submitting crafted data from his web browser. This data sails past all the organization’s network defenses, in the same way as does ordinary, benign（良性） traffic to the web application.

1. 安全套接层 ↩

2. 超文本传输协议 ↩

3. 受攻击面 ↩