Web security hole escapes developers
Web services developers tend to trust user input, but this is leaving back-end databases vulnerable to hackers, contends Caleb Sima, chief technology officer at SPI Dynamics, an Atlanta-based maker of security assessment tools.
While discussion of Web services security generally focuses on authentication and encryption, experts often miss what Sima believes is the security hole often built into important applications. "The problem, which has existed in the Web application security world for years, is that developers don't validate user input," Sima said. "They trust user input."
He said customers using the SPI Dynamics WebInspect tool, which scans for such
vulnerabilities, have identified the problem in 90% of the Web services checked. The Web
services were open to allowing outside users to send a SQL query from their browser right to
a corporate database and retrieve what was thought to be confidential information.
"It's a huge problem that's not being talked about," Sima said. "You can insert your own SQL
commands into the Web service parameters to retrieve data back from the server."
WebInspect 3.0, the latest version of the inspection and security tool from SPI Dynamics,
checks for such vulnerabilities beginning in the early stages of the development cycle, Sima
said. The feedback from the tool suggests ways to filter Web services calls so that they do
not contain SQL queries or Java applets that can raid or disrupt back-end databases.
"One of the things we point out is don't ever trust user input," Sima said.
For more information, please go to http://www.spidynamics.com
Rich Seeley is Web Editor for Campus Technology.