文章作者:Francis Hsu
原始出处:
http://seclab.cs.rice.edu/w2sp/2007/
本文章是Web 2.0 Security & Privacy 2007大会议题。
While early web applications were created with all data processing done on the server, the expansion in the use of scripting languages embedded in web browsers (specifically, dialects of ECMAscript - JavaScript and JScript) in techniques such as AJAX have allowed for change in the design of web applications. They are no longer run solely on the server-side with a limited input interface of static boxes in an HTML form, but are combinations of two programs a client program run by the web browser communicating with a server program. While new applications of this type bring benefits in usability, the additional complexity may introduce security problems.
These new web applications designed with client and server components face the traditional problems of classic client-server programs, such as validating the input to the client or server program. However, the web applications’ server and client components are usually designed with ad-hoc application level protocols only to operate with its counterpart and no other programs. This may lead to dangerous assumptions about the internal state of the counterpart and any data being transmitted. For example, in some cases application writers attempt to handle input validation with JavaScript in the client browser. When the input is then transmitted to the server-side part of the application, the server code continues to operate on the data with the assumption that the client’s input validation had successfully completed.
A malicious party could simply construct a client without these checks and submit input without validation, leading to security failures such as SQL injection attacks. With the client source code made accessible to attackers in script form, such vulnerabilities are event more easily exploited. Since the web application programmer had the intention of performing these checks on data to be transmitted to the server, input validation code done on the client should also be present in the server code.
