point
The Smart Techie was renamed Siliconindia India Edition starting Feb 2012 to continue the nearly two decade track record of excellence of our US edition.

June - 2009 - issue > Technology

Preventing Web Application Attacks-Don't be a Victim

Mike Shema
Friday, June 5, 2009
Mike Shema
Web application vulnerabilities are among the most popular targets of attack. The motives of attacks are many. They include stealing information, such as customer lists, by competitors, to organized crimes looking to pilfer customer information, such as credit card numbers.

Vulnerabilities in Web applications are now the largest vector of enterprise security attacks. Last year, almost 55 percent of vulnerability disclosures affected Web applications1. About 74 percent of Web application vulnerabilities had no available patch for remediation till the end of the year, according to that report. Stories about exploits that compromise sensitive data frequently mention culprits such as ‘cross-site scripting,’ ‘“SQL injection,’ and ‘buffer overflow.’ Vulnerabilities like these often fall outside the traditional expertise of network security managers. The relative obscurity of Web application vulnerabilities thus makes them useful for attacks. As many organizations have discovered, these attacks will evade traditional enterprise network defenses unless you take new precautions.

There are primarily two classes of Web application vulnerabilities: technical vulnerabilities that reside within the actual coding of the application, and logic vulnerabilities that are fundamental weaknesses in the workflow, or business logic, of the application. Both can be avoided if your organization is diligent when it comes to identifying and mitigating these risks.

Technical vulnerabilities comprise problems such as cross-site scripting, which allows attackers to insert malicious HTML code and downloadable scripts into legitimate websites. This code can be used to fool users into thinking they’re interacting with a trusted site, when they’re not; or even to push spyware and Trojans onto the systems used by visitors. Another technical vulnerability is SQL injection, which allows attacks that take advantage of poor database command filtering controls to gather, modify, or even delete information in the application.

Logic vulnerabilities get less attention but are also important. These flaws, unlike information disclosure bugs or inadequate input validation filters, allow attackers to exploit the logic of a Web application. That means that these types of attacks are unique for each specific Web application and require creativity and insight into Web applications and attack techniques to identify. These vulnerabilities make it possible for attackers to twist the rules that developers put into place to do such things as calculating pricing, accepting discounts, or tracking vote tallies.


Share on Twitter
Share on LinkedIn
Share on facebook