⭐
SSL[1](Secure Socket Layer) is an excellent technology that protects the confidentiality(机密性) and integrity(完整性) of data in transit between the user’s browser and the web server. It helps defend against eavesdroppers, and it can provide assurance to the user of the identity of the web server he is dealing with. But it does not stop attacks that directly target the server(服务器) or client components(客户端组件) of an application, as most successful attacks do. Specifically, it does not prevent any of the vulnerabilities just listed, or many others that can render an application critically exposed to attack. Regardless of whether they use SSL, most web applications still contain security flaws.
1.1The Core Security Problem: 
The application must assume that all input is potentially malicious(恶意). Therefore, it must take steps to ensure that attackers cannot use crafted input to compromise the application by interfering with its logic and behavior, thus gaining unauthorized access to its data and functionality.
This core problem manifests itself in various ways:
- Users can interfere(干预) with any piece of data transmitted between the client and the server, including request parameters(请求参数), cookies, and HTTP[2](HyperText Transfer Protocol) headers. Any security controls implemented on the client side, such as input validation checks, can be easily circumvented.
- Users can send requests in any sequence and can submit parameters at a different stage than the application expects, more than once, or not at all. Any assumption developers make about how users will interact with the application may be violated.
- Users are not restricted to using only a web browser to access the application. Numerous widely available tools operate alongside, or independently of, a browser to help attack web applications. These tools can make requests that no browser would ordinarily make and can generate huge numbers of requests quickly to find and exploit problems.
1.2Key Problem Factors
-
Underdeveloped Security Awareness
-
Custom Development
-
Deceptive(欺骗性的) Simplicity
- there is a huge difference between producing code that is functional and code that is secure. Many web applications are created by well-meaning individuals who simply lack the knowledge and experience to identify where security problems may arise.
- A prominent trend in recent years has been the use of application frameworks that provide ready-made code components to handle numerous common areas of functionality and integration with common back-end infrastructure components. These products make it quick and easy to create working applications without requiring a technical understanding of how the applications work or the potential risks they may contain. This also means many companies use the same frameworks. Thus, when a vulnerability is discovered, it affects many unrelated applications.
-
Rapidly Evolving Threat Profile
-
Resource and Time Constraints
-
Overextended Technologies
-
Increasing Demands on Functionality
- Modern sites may include password recovery, username recovery, password hints, and an option to remember the username and password on future visits. Such a site would undoubtedly be promoted as having numerous security features, yet each one is really a self-service feature adding to the site’s attack surface[3].
