When I first learned about IT security in Internet world, I was told to assume “that some hacker is already in DMZ” before I architect any security framework. It helped me tremendously, whenever I was involved in web-sites security projects or related discussions. I was also aware of direct hacks from the browser, if your application is not written with security in mind. I did not realize how fast this field of “browser hacks” have grown.

While reading a blog entry from John Conroy of CMSWire (How They Hack Your Website: Overview of Common Techniques), it was quite tempting to try some of the hacking options and see if your preferred sites breaks (I tried and could not break it, I am happy about it!). There were good points in the comments by Jason and others to round up the blog with overall perspective.

What jumped out to me from the blog was that how vulnerable web-sites have become that a simple slip can cause a much bigger problem (Harvard Site Hacked, Alleged Content Hits BitTorrent). Of course, with packaged application (as most ECM products are) it is difficult to achieve complete control of code and how it executes different components. So, one of the due diligence you own is asking the Vendors about their application’s design from security perspective that thwarts “browser hacks”. It could also occur when you lack a trained team, who should not only understand the basics of web-sites management, but also design application to be secured at all levels (not just protocol, code and configuration as well).

In this world of highly interactive web applications, it is very easy to put lot of logic in browser to make interactions easy and closer to end-user, but this can open up new pathways to hack into your application, if you do not take appropriate steps to block it. Now, if I am participating in any security discussions, rather then mentioning my old advice “someone in the DMZ”, I say “someone has crossed DMZ and is trying to manipulate your application”.