Web Application Security

The Ubiquitousness of Web apps and the Browsers Who Love Them

Web apps are everywhere. But what are they really? How do they differ from a website? Or do they? I imagine that if we were to ask a hundred different people this question, we would get a hundred different answers.

So I’ll throw in my own definition for the purposes of this post. It makes sense to me, but feel free to disagree and share your thoughts in the comments.

A website exists to relay information. A website may have some dynamic functionality, but it exists mostly to relay information to users. That information can be useful or not (think joke websites, for example :P), but no website in itself provides an immersive experience. On the other hand, web apps, or web applications, do. They involve the user. They have logic to behave interactively. They provide functionality beyond simply delivering information. Users create information, modify information, share information.

Examples of these powerful applications include Facebook, Google’s Gmail and Calendar, Google Plus, and bulletin boards. Even embedded devices are providing web applications to configure them and monitor them. Firewalls, routers, printers, switches, even VoIP phones are configurable through a browser and have been for years. More and more devices are now including network stacks that in some way or another, speak HTTP.

Mmmmm, the memories. I had such fun abusing these embedded devices back in the good old days. Routers would let me reconfigure them without needing to authenticate. Phones would give me their secrets if I just pointed a browser at them. In 2006, I even found and reported a vulnerability in a popular embedded device. Read more about the vulnerability at ZeroDay Initiative.

A long time ago, a few others and I built a rather popular anti-spam service. It utilized HTTP. Why not? HTTP is cheap. We didn’t have to build custom protocols and all the pain that goes with that. I thought that as powerful and popular and awesome as the service was then, we were abusing HTTP. We were using it for things it was never meant to handle. Today, I see what people are building with HTTP, and I think they are abusing it more than ever. But why shouldn’t they? Everything useful lives on the web anyway. Development is cheap (relatively), because the infrastructure is already there. Custom protocols don’t have to be developed, though some people do build on top of HTTP to provide additional functionality. It’s easy to get users to point a web browser at a pretty web interface. It’s not easy to get users to download and install some untrusted piece of client-based software (well, sometimes. heh). Overall, though, users are generally more willing to browse to a website than they are to load a dedicated program each time. Plus, with the marketing buzz surrounding “the cloud” (as if it didn’t exist before), both users and developers are more willing to deploy a web app that has all the functionality of a desktop app, while also allowing users to interact with one another, to share data, and to keep all of the data generated off of their hard drives. Though data storage is getting cheaper, it’s still fairly expensive for the average consumer. And as data needs increase for consumers, so do their hard drive needs. Therefore, it’s a win/win situation to store data on the Internet (which is, and has always been, the cloud).

I would be remiss if I failed to mention the increasing usage of web browsers. Not only do computers and cell phones have Web browsers, but so do more and more embedded devices. My Wii has a web browser (yes, I’m a proud owner of a Wii :D); the PlayStation and Xbox have Web browsers; TVs do; and even microwaves, washer/dryers, and refrigerators will soon be available with web browsers, and therefore be “internet-enabled.” To be honest, this both excites and frighten me.

My fear is that these embedded devices will become the central source of information for the digital home. As a society, we are already on information overload. I think it is one thing for the washer/dryer to send an email when they are in need of changing loads. Recipe management or reminders to get food on the refrigerator is pretty nice. But to put video phones, email, and web browsers on these devices? Shouldn’t that be left to the computer? This introduces many exciting things for a member of the offensive security community such as myself, and should instill trepidation in to the average consumer.

Obviously, my focus for this post is on embedded devices. The tech industry has been building and breaking web apps for a few years now; but to me, embedded devices with web apps as well as browsers are largely uncharted territory. This brings to mind the SCADA talk that’s been happening for years now. Sure, there have been successful attacks on a few pieces of SCADA infrastructure over the years, but until fairly recently, there hasn’t been a huge focus on SCADA security, from the good guys or the bad guys.

I want to stop that from happening with consumer devices and open eyes to the potential problems that could happen if we continue down this road unchecked. How bad would it be if a microwave could be controlled by a virus because the browser had a vulnerability on it? How bad would it be if your water heater succumbed to a rootkit because the web app on it was vulnerable to file upload manipulation? Or, how bad would it be if instead of cooling and freezing your food, your refrigerator cooked your food because your next-door neighbor wanted to nose around your unprotected wireless network and thought it’d be funny to break your refrigerator remotely? You might say I’m simply trying to induce a panic. Instead, I like to think I’m getting people to consider the potential risks of allowing such device functionality into their homes before they go out and purchase these appliances and devices.

Are you afraid yet? I don’t mean to cause nightmares, but a serious reality check is intended here.

I get it. These devices that include web apps and browsers on them are going to make our lives easier in many ways. I think it is wonderful to be able to have a refrigerator that can remind me via email that I need to pick up milk on the way home, because it was connected to the Internet and knew (whether by the cool detecting technology that’s on the way or because I told it to remind me) that that particular task needed to be done. My refrigerator is also a sensible – and very useful – place to keep recipe information. Personally, I prefer a centralized server in the home and access it through any of my devices that way, but it’s something.

But if we don’t do something as consumers, this is going to get out of control. More than it is now. I am genuinely afraid of what might happen if someone from a Country of Ill-Repute™ got hold of my toaster over the internet. Maybe you should be too.