back to article It's 2017, and command injection is still the top threat to web apps

The Open Web Application Security Project will on Monday, US time, reveal its annual analysis of web application risks, but The Register has sniffed out the final draft of the report and can report that it has found familiar attacks top its charts, but exotic exploits are on the rise. A late pre-release version of the Project' …

  1. sabroni Silver badge

    moving functionality from the server side to the client “brings its own security challenges”.

    Not really. Security on the client is always just a convenience to the user (don't waste their time allowing them to start things they don't have the permissions to finish). Real security has to be on the server. There is no real way of securing the client, it's a browser.

    1. Nick Ryan Silver badge

      Re: moving functionality from the server side to the client “brings its own security challenges”.

      While I wholly aggree about security being server side, I suspect that a large part of the issue with client side security is that because there are so many developers (ab)using JavaScript to create single page applications it's the access and functions that these provide to locally available resources that is the problem.

      On the other hand I have come across far too many idiot developers who assume that everything that comes from their "rich" web application is trusted and therefore adequate security and data validation on the server side is not necessary.

      1. Ian 7

        Re: moving functionality from the server side to the client “brings its own security challenges”.

        Totally agree - validation etc. on the client is purely to help improve user experience; it needs to be replicated on the server to be any kind of guarantee that it's doing what was intended. And yep, I also agree that there are too many inexperienced web developers out there who don't appreciate that. I'm being polite and swapping "inexperienced" for "idiot" :)

        We had a guy apply for a job here recently who was after £60K plus benefits, which he said was a significant pay CUT from what he'd been earning in California and London, and who could boast on his CV that he'd got experience with cool stuff like Ethereum plus every Javascript framework you could care to mention, but who had no clue how to write a secure application, nor one that was scalable or highly available. Apparently "the framework takes care of that". Knob!

    2. Brewster's Angle Grinder Silver badge

      Re: moving functionality from the server side to the client “brings its own security challenges”.

      A decade ago I found this problem in a popular jobsearch site. So my PDF CV became a self-extracting exe. I did notify them but I got denials and threats.

  2. MJB7

    Re: moving functionality from the server side to the client “brings its own security challenges”.

    Yes it does. It means you can't just move "that" chunk of functionality from server to client - you have to split the security functionality out, and leave it in the server, and then move the rest of the functionality to the client.

    You also have to find a way of testing the security functionality (because the client, by default, probably won't let you).

  3. jms222

    One of our people thought it would be good to pass user-supplied data via the shell rather than exec() and wrote his own code to try to escape things properly and didn't even read or check up on how the Bourne Shell treats single quotes. Duh !

  4. ecofeco Silver badge

    Injections?

    Learn something new every day. All this time I thought it was outsourcing.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021