Chapter 9. Web Application Security

Web applications are essentially server-side software applications. They are usually part of websites and accessed by human users through Web browsing software such as MS Internet Explorer or Netscape Navigator. The Web browsing software, or simply the browser, addresses a Web application through its URL and communicates with it by sending HTTP requests and receiving HTTP responses, either over an intranet or the Internet. In this regard, a Web application is like any other server software.

A distinguishing characteristic is the fact that the same browser can be used to access any number of Web applications, without requiring application-specific client programs to be installed on each client machine. This is convenient to the users, especially for infrequently accessed applications. It is also convenient for system administrators who don't have to worry about upgrading client software on a large number of machines when they upgrade the server program. As a result, Web applications have emerged as the dominant mechanism to deliver application functionality.

Here is a highly simplified account of how Web applications work: The user supplies the URL in the address field of the browser or clicks on a hyperlink pointing to the Web application of interest. This causes the browser to send a HTTP-GET request to the machine hosting the Web application. This request is received by the HTTP server and handed over to the Web application for further processing, which responds with a HTML document, either generated dynamically or retrieved from a static file, packaged within a HTTP response. The HTML document may also incorporate scripts written in languages such as JavaScript or launch Java applets. The browser interprets this document and presents a GUI to the user. The user Interaction with this GUI results in further interaction between the browser and the Web application.

The functionality offered by Web applications can range from simple operations like textual search, stock quote query, and driving direction retrieval to complex operations such as online shopping, portfolio management, and Internet banking. Most organizations now have websites that incorporate Web applications for richer interaction with customers, partners and employees. In fact, the superior software distribution model has inspired many to develop traditional client-server software as Web applications.

Secure operation of Web applications, especially those accessible over the Internet, poses an interesting set of challenges. This category of applications has been an attractive target for attackers. It is instructive to understand the reasons behind it.

• Basic network connectivity to public websites is available to anyone with a computer and a telephone line or any other form of connectivity to the Internet. Given the reach of the Internet, this covers a fairly large population of the world.

• It is fairly easy to remain relatively anonymous and carry out attacks with little chance of getting caught and punished.^[1]

  ^[1] There is no such thing as perfect anonymity, even on the Internet. Though difficult, it is possible to trace the origin of a particular TCP/IP and HTTP connection through the logs maintained by ISPs.

• The presence of vulnerabilities—some known and many unknown ones—in the operating system, Web server software, Web applications, Web browsers and other components powering a website makes the job of attackers easy.

• Successful attacks can have significant payoff for the attackers.

• Media attention generated by successful attacks on websites of well-known companies strokes the egos of attackers.

The loosely coupled architecture of the Web and the use of standard components such as Web browsers, HTTP servers, and so on. have made it easy to identify vulnerabilities, share information and exploit them.

Besides these factors, it is also important to understand the overall environment of Web application usage. Applications that are perfectly safe to access from a PC owned by the user are not so safe when accessed by browsers running on shared machines, as is the case with machines in a cyber café. Similarly, the threat of snooping, or eavesdropping by a third party, is quite real in many networking environments.

Securing Web applications requires attention to proper use of security mechanisms and avoidance of vulnerabilities. The security mechanisms include things such as user identification, authentication, access control of sensitive actions, data integrity, and confidentiality. Though the break-ins caused by vulnerabilities get more publicity in the press, both incorporating security features as per application requirement and avoiding vulnerabilities are equally important.

Our focus in this chapter is to understand the basic Java technology behind Web applications, identify their security requirements, and learn how to incorporate security mechanisms and avoid common vulnerabilities. As you already know, the main Java technologies used for developing, deploying and running Web applications are servlets and JSPs (JavaServer Pages). We learn more about these technologies in the next section.