Web 2.woe: Simple security flaws going unfixed

Web application vulnerabilities are simple to fix -- but they're here to stay and will likely get worse, say security analysts.

Web application vulnerabilities are simple to fix but they're here to stay and will likely get worse, say security analysts.

Last week, minor flaws in the Web sites of the Liberal and Labor parties, which allowed the public to create "spoof" pages of the sites, led to fears that the Web sites had been hacked.

Andrew Walls, research director of Gartner's security and privacy group, told ZDNet Australia it did not constitute a genuine hack. "The 'spoof' or prank is actually outside the control of the Web master or developer that is responsible for the Web site," he said.

Security experts refer to the vulnerabilities as cross-site scripting or XSS flaws. While they are fairly simple to fix, Walls said the examples highlight why they should be fixed. Despite the flaws not amounting to any serious threat to security -- no money was lost, no personal details were exposed -- Walls said it had a significant impact, particularly on the Liberal Party's image.

"[The election] is why it became such a big issue about the Liberal's site. There is no way the Liberals want to be represented in a bad light. If a customer or user feels that their life has been damaged in some way, because they looked at your Web site -- regardless if you're to blame -- that's [a] bad thing. So regardless whether you're responsible, it's very important for your visitors to feel that their personal security is a priority, particular if you're role is in government."

"It may be minor [technical] issue but from little things big things can grow," he added.

Ty Miller, senior security analyst from Pure Hacking, said these vulnerabilities can also be a stepping stone to a more damaging attack.

"If you manage to find a vulnerable site, you could craft -- via cross-site scripting -- a URL for a legitimate user to click on. Once they've clicked on it it's possible, as an attacker, to utilise a proxy tool to gain the same access as the victim who clicked on the link and authenticated it for you, allowing them to steal a user's session," Miller told ZDNet Australia.

Paradoxical prescription: Easy to fix, hard to resolve Both Walls and Miller agreed that to prevent HTML-injection style flaws from causing a security headache, organisations should validate every single input form field, such as a search field -- which was used against the Liberal and Labor Parties' sites -- across the Web site to exclude data that does not fit the required type. That is, to ensure form fields only accept strings of text, rather than percentage signs, backslashes or apostrophes, which hackers use to detect vulnerabilities.

But security experts said that while the technical issue is not complex or difficult to understand for professionals, closing all the loopholes can be long-winded, costly and complicated due to the breadth of possible flaws. An added complication comes from third-party systems, said Walls, which necessitate the involvement of the vendor, adding further time to the task.

Far from the problem ever going away, experts believe vulnerabilities in Web applications -- on both the client and server side -- will become more prevalent as businesses deploy Web 2.0 technologies, according to Patrik Runald from Finnish security firm F-Secure.

Runald said Web 2.0 technologies increase the burden of responsibility for Web administrators and developers to deliver security measures.

"Unfortunately we've seen a lot of cases where features are more important than security because of competition to improve service levels. We did a test a year ago, where we took a few popular social network sites with a total user base of 80 million users. Within 30 seconds we found six cross-site vulnerabilities in these Web sites," he said.

Gartner's Walls agreed. "We're generating so many Web apps that it's difficult to implement security at the same pace. That's why due care is encouraged and people should keep their wits about them. Don't overreact but don't ignore the problem -- that takes sophistication and experience."

"We're in a holding pattern at the moment, neither conquering security problems nor losing ground. We're keeping pace but the issue ahead of us, Web 2.0, social networking and mash-ups -- we need to bake security into the ground level to all systems."