|
Web Application Attack Mechanisms
Enterprises have spent billions of dollars to protect their information infrastructures. Confronted with steadily maturing network layer defenses, attackers are increasingly turning their attention to the application layer and the corresponding business applications that are running. The dynamic nature of Web applications offers users unique experiences, but the technology that makes a Web site so interesting also has a dark side. People with malicious intent can turn this same technology against the enterprise to cause considerable damage to a company's bottom line and reputation.
Nearly one in five businesses, both large and small, report that attackers have exploited flaws in Web applications. It's relatively easy, as many attacks are simple to launch. Anyone with a browser can unleash them. Other types of attacks require intimate knowledge of the host server and underlying applications. All are potentially damaging to an organization's Web presence. The following are some of the basic attack types employed against Web sites and Web applications:
Session management. A session is hijacked for malicious purposes.
Authentication bypass. A hacker can bypass authentication mechanisms and access Web applications illegally.
Cross-site scripting. Malicious code is executed when a user clicks on the URL.
Application buffer overflow. Very long requests exceed the allocated buffer size, which can allow hacker code to be executed.
Cookie poisoning. Manipulating a session cookie's contents enables the attacker to obtain unauthorized information from the server.
Hidden field manipulation. This attack involves changing the values of hidden fields, which are frequently used to provide status information to the server.
Stealth commanding. Modifying Web-form input fields coerces the Web server into actions that it wouldn't ordinarily allow.
Forceful browsing. Modifying a URL can bypass Web controls to break out of a server's root directory and access files on the rest of the file system.
Parameter tampering. Submitting modified data to the Web server returns all member records in the database.
Third-party misconfiguration. This attack involves exploiting an insecure server configuration.
Known vulnerabilities. This attack involves exploiting known vulnerabilities or default settings that haven't been patched or changed.
Database sabotage. This attack involves appending valid SQL commands to form fields.
Data encoding. This strategy disguises attacks by using alternate encoding methods.
To be fully secure, enterprises need to be able to test the dynamic aspects of their Web sites to remove the vulnerabilities these attacks can exploit.
The Criticality of Web Application Vulnerability Assessment
IDC believes that network security tools, such as firewalls and intrusion detection systems (IDS), must be augmented by strong Web intrusion protection mechanisms. Enterprises, business units, and, importantly, Web developers are realizing that the weakest links in the security chain are Web servers, Web applications, and related back-end databases. As exploits associated with Web applications continue, IT professionals and management are coming to the conclusion that insecure coding is the root of many a breach ? one might even say it's the source of security woes. The concepts of developing applications with security in mind and removing security defects from applications before they are released are gaining adherence.
Most people understand the need to perform functional testing to ensure that applications provide the services expected, but often overlooked is testing to ensure that applications do not include unintended operations, many of which become security vulnerabilities. Achieving application security requires the ability to search applications for issues that are unique and previously unknown. This is more critical in Web applications because of the way they receive and process unstructured user commands. The Web application has no control on user input, only on the output. A key to security testing of software is to uncover unexpected, unintended, undocumented, or unknown functionality. The best way to do this is to use Web application vulnerability assessment scanners, which are designed to deal with the specific needs associated with application and Web site security.
These tools usually utilize attack signatures or code, but the best of these scanners rely on the running of known techniques used to attack Web applications and servers. In other words, Web application vulnerability assessment scanners attempt to emulate the actions of experienced hackers. They avoid general vulnerability checks, such as port scans or patch checks, to concentrate on Web vulnerabilities that standard vulnerability assessment tools don't address.
|
