162 Secure web applications? Mario Konecki, Željko Hutinski, Tihomir Orehovački Faculty of Organization and Informatics University of Zagreb Address: Pavlinska 2, 42 000 Varaždin, Croatia Phone: +385 42 390 800 Fax: +385 42 213 413 E-mail: mario.konecki@foi.hr, zeljko.hutinski@foi.hr, tihomir.orehovacki@foi.hr Abstract - Today we live in a society that we call the information society where information has become a resource of great value. Along with this kind of society web applications that provide information through various services have appeared. Web applications have been driven to the point of very high visual appearance and services quality level but the part that is still in the second plan is the question of web applications security. In this paper we will point to this problem, we will show the most common problems in web applications security today and we will give suggestions that can help in solving these problems. We will also present our research data about knowledge and common practice of companies in the matter of solving these problems. I. I NTRODUCTION Today, there is an increasing number of web applications in all aspects of business and education. Also, web applications are becoming more and more important part of any system. The systems are connecting between each other and web applications are substituting standard desktop information systems. Also, it has become obvious that there are many flaws in web security [7] which result in malicious activities in business, education and other areas. Because of this, web applications security becomes one of the main topics. Because of constant increase of companies that are developing web applications, there is a need to find out the current situation regarding security problems that are mostly occurring as a first step to find a proper solution and educate companies about these solutions. II . I DENTIFYING THE MOST COMMON SECURITY PROBLEMS It is practically impossible to determine the main security problems in web applications because they depend on many factors such as particular organization of web site, specific technologies and configurations, etc. But, even so, when concentrating on a whole group of technologies and applications, 10 main security problems that occur in web applications today have been identified [2]. These problems, along with some suggestions on how to solve them are listed below. The words that could be used here instead of problem are also attack, flaw or vulnerability. A. Unvalidated Input Web application reactions are based upon input from HTTP request (or sometimes files) [2]. Attacker can attempt to tamper with any part of this request. Many web applications today don’t even have client-side input validation. But even those applications that have this kind of validation are not secure enough. Client-side validation is effective and useful for users but it provides no real protection if there is a lack of server-side input validation. There are simple tools, even telnet, which attacker can use to intercept HTTP request and modify it or to create his own HTTP request. This kind of problem can be solved only by detailed server-side validation mechanisms. This includes proper validation of all types of input that are part of HTTP request, including URLs, forms, cookies, query strings, hidden fields, and parameters. Validation algorithms should check [2]:  Data type (number, string, …)  Allowed length  Allowed set of characters  Parameter necessity  Whether null is allowed or not  Allowed parameter values  etc. B. Broken Access Control The first thing that is important here is to know which types of users have certain privileges and rights. There has to be a clear access control policy [6] and documentation about this matter. A tool that can be used here to describe users and their roles is a role matrix [1;163]. Many applications today have very superficial solutions to this problem. The authorization mechanisms [1;162] are often developed ad hoc as needed and are scattered in many places. This kind of approach leaves plenty of room for mistakes and flaws. This mechanisms should as well as input validation algorithms be centralized [1;262]. Problem that deserves to be mentioned here is also remote administration. A detailed testing has to be performed regarding connections security and means that are used to ensure administrators identity.