Yes, its true, web applications scare the hell out of me.  Back in the grand old days of remotely exploiting rich client apps the attack of choice was buffer overflow (ignoring retarded macro attacks, for which the design was just ineptly flawed).  Sure, there were others, but at the time you could pretty much count on any given app having some unchecked buffer copy.  Today that is largely a solved problem, with static analysis tools being pretty damn good at finding such flaws.  Coupled with decent banned API rules, buffer overflows should be a solved problem, like small pox (don’t tell Apple or Adobe that though, they might actually get around to catch up with the rest of the world).  I find it laughable when a buffer overflow is found in modern software.

The thing is though, exploiting buffer overflows wasn’t trivial (well, pre-metasploit).  It actually required that a person have a decent understanding of how memory worked (so your average scripter or java developer was out in the cold) in order to craft an attack.

With web applications, the two vulnerabilities of choice are XSS and SQL Injection.  SQL Injection is pathetically simple to protect against and yet is horribly prevelent.  On a US UTF-8 only website that doesn’t need to accept HTML, XSS is also very easy to protect against (unfortunately it quickly gets complex when you internationalize, or decide to accept HTML).  These attacks are often disgustingly simple, but work well.

That concerns me a great deal, but a well designed website can put up a decent defense.  That isn’t what really scares me.  It is the fact that many of these web applications store very sensitive data, anything ranging from PII, to one’s entire collection of documents.  It isn’t just that the attacks are so simple, but that the payoff (or cost depending on which side of the coin you are on) is so large.

So enter something like Google, which wants to store your emails, health records, personal documents and files, payment information, and everything else you might value.  It takes one tiny little flaw and all of that is exposed.  It takes one well put together phishing site, and it is all exposed.

What keeps me awake at night is knowing how much there is to lose from one tiny little mistake.  What scares the hell out of me is how much data is stored, how sensitive it is, and how easy it is to find vulnerabilities and exploit.  For crying out loud, bots are doing SQL Injection attacks as we speak.

(what also scares me is that many people actually think HTML and Javascript in a browser creates a compelling competitor to rich client apps.  It will be a cold day in hell when a web app can provide even a marginally compelling experience versus the likes of Office.  Even flash and silverlight are poor replacements.  Adobe is high as a bloody kite if they think that an AIR version of Photoshop is a remotely good idea)

~ Joshbw