Saw a great article on Informit.com that walks you through a real-world application penetration scenario. The author starts out by finding and exploiting a cross-site scripting (XSS) vulnerability and then walks through exploiting additional vulnerabilities to the point that he can run shell commands on the system. This is a great view into the mindset of application-level attackers.
I did have an issue with one of his recommended fixes. In order to fix the XSS vulnerability that he used in the first place he recommended stripping out a list of bad characters often used in XSS attacks. Although that might appear to fix the problem in this case, this is a bad strategy. Blacklisting bad characters is a stop-gap solution that fails to provide real security. Instead, each input should be specifically validated to make sure that it contains what it should. An email address should look like an email address (firstname.lastname@example.org), a positive integer should be a positive integer (12345) and so on.
This may seem like a minor point to argue about but it is not. If security vulnerabilities are going to be remediated, they need to be remediated correctly. Applying band-aid solutions to the problem is a bad idea because underlying serious vulnerabilities will remain and everyone will be left with a false sense of security. That is, of course, until someone exploits the remaining vulnerabilities – then developers will be in hot water. It won’t be a fun conversation trying to explain why an application is still vulnerable even though $X and Y weeks were “securing” it.
So if you are going to set out to fix something you should actually fix it. You probably won’t get a second chance.
dan _at_ denimgroup.com