Security in web apps is an ever increasing important topic besides securing the machine or your web/application containers on which your apps run you need to deal with some security related issues in your own apps. In this article we take a look at the number one (according to OWASP)risk in web apps:
Every web app takes some kind of user input (usually through web forms) and works with it. If the web app does not properly handle the user input malicious entries can lead to severe problems like stealing or losing of data. But how do you identify problems in your code? Take a look at a naive but not uncommon implementation of a SQL query:
query("select * from user_data where username='" + username + "'")
Using the input of the user directly in a query like this is devastating, examples include dropping tables or changing data. Even if your library prevents you from using more than one statement in a query you can change this query to return other users’ data.
Blacklisting special characters is not a solution since you need some of them in your input or there are methods to circumvent your blacklists.
The solution here is to proper escape your input using your libraries mechanisms (e.g. with Groovy SpringJDBC):
query("select * from user_data where username=:username", [username: username])
But even when you escape everything you need to take care what you inject in your query. In this example all data is stored with a key of username.data.
query("select * from user_data where key like :username '.%' ", [username: username])
In this case everything will be escaped correctly but what happens when your user names himself % ? He gets the data of all users.
As the last query showed: besides using proper escaping, setting your mind for security problems is the first and foremost step to a secure app.