Preventing Web Application Attacks-Don't be a Victim Date:   Friday , June 05, 2009 Web application vulnerabilities are among the most popular targets of attack. The motives of attacks are many. They include stealing information, such as customer lists, by competitors, to organized crimes looking to pilfer customer information, such as credit card numbers. Vulnerabilities in Web applications are now the largest vector of enterprise security attacks. Last year, almost 55 percent of vulnerability disclosures affected Web applications1. About 74 percent of Web application vulnerabilities had no available patch for remediation till the end of the year, according to that report. Stories about exploits that compromise sensitive data frequently mention culprits such as ‘cross-site scripting,’ ‘“SQL injection,’ and ‘buffer overflow.’ Vulnerabilities like these often fall outside the traditional expertise of network security managers. The relative obscurity of Web application vulnerabilities thus makes them useful for attacks. As many organizations have discovered, these attacks will evade traditional enterprise network defenses unless you take new precautions. There are primarily two classes of Web application vulnerabilities: technical vulnerabilities that reside within the actual coding of the application, and logic vulnerabilities that are fundamental weaknesses in the workflow, or business logic, of the application. Both can be avoided if your organization is diligent when it comes to identifying and mitigating these risks. Technical vulnerabilities comprise problems such as cross-site scripting, which allows attackers to insert malicious HTML code and downloadable scripts into legitimate websites. This code can be used to fool users into thinking they’re interacting with a trusted site, when they’re not; or even to push spyware and Trojans onto the systems used by visitors. Another technical vulnerability is SQL injection, which allows attacks that take advantage of poor database command filtering controls to gather, modify, or even delete information in the application. Logic vulnerabilities get less attention but are also important. These flaws, unlike information disclosure bugs or inadequate input validation filters, allow attackers to exploit the logic of a Web application. That means that these types of attacks are unique for each specific Web application and require creativity and insight into Web applications and attack techniques to identify. These vulnerabilities make it possible for attackers to twist the rules that developers put into place to do such things as calculating pricing, accepting discounts, or tracking vote tallies. During customer assessments, we’ve seen vulnerabilities that made it possible to eliminate shipping charges (or get overnight shipping for the price of standard shipping), increase discounts and insert coupons, and even reduce posted prices. These types of attacks are insidious; they can occur over time, and it can be very difficult to identify the revenue loss, because at first glance, each transaction appears to be legitimate. The problem is growing. The Common Vulnerabilities and Exposures (CVE) Project, which tracks all types of publicly disclosed software vulnerabilities, recently reported that Web flaws constituted 45 percent of all vulnerabilities the organization tracked for the nine months of last year. Analysts say Web applications are the focus of 75 percent of attacks. It’s not just small e-commerce sites that have trouble when it comes to Web application security. Sites such as Google, MySpace, Facebook, Twitter, and Yahoo! have all reported Web application security problems. And the recent IT systems breach at The TJX Companies, the merchant that owns such retail outlets as T.J. Maxx and Marshalls, shows just how costly mistakes can be: The company recently reported that its earnings will include a 1 cent per share charge, or roughly $4.5 million, related to costs surrounding the attack. If those risks aren’t enough for Web merchants to increase their focus on Web application security, there is a compliance clock ticking. Companies with e-commerce websites that conduct credit card transactions have had to meet tougher security rules that are part of the Payment Card Industry Data Security Standard (PCIDSS). The rules were updated in September 2006, but compliance was not mandatory until July 2008. More guidance and stricter compliance rules are sure to come. The original standard put forth twelve security requirements, including network firewall installation, encrypting cardholder data as it travels, strict authentication and authorization tracking, developing and maintaining secure systems and applications, and a series of active security policies. The updated version 1.2 of the standard, released on October 1 last year, includes significant changes in how Web application security is addressed. For instance, the updated version requires that all custom-built application software be reviewed on regular basis by an application security specialist for vulnerabilities using automated or manual application vulnerability assessment tools or methods; otherwise, those that accept or store credit card transaction information must deploy a Web application firewall. It’s advisable to vet all Web applications, whether custom-built or purchased, for Web vulnerabilities, and to deploy a Web application firewall. It’s also advisable to use a Web application vulnerability scanner, supplemented by a human component. First, the scanners work much the same way as network security scanners: they aim to spot security-related configuration and programming errors. Web applications are complex, and application scanners are good at finding technical vulnerabilities. They’ll check the application’s input parameters, and they’ll relentlessly throw many variables at the application in an attempt to break and compromise it. The second method is to have a human try to hack your system. If you don’t have that type of expertise in-house, consider hiring an experienced Web application security expert. Unlike a vulnerability scanner, the expert can use human ingenuity and creativity to try to find development mistakes, such as logic vulnerabilities, that make it possible to bend your application in ways it wasn’t intended. A skilled consultant will be aware of the ways Web application logic in complex systems can be misused by a thief. Most importantly, companies must make secure coding a priority throughout their development process. Coupling that with the advice and best practices offered by OWASP will go a long way toward making the corporate website highly secure. Then, when attackers start poking through the site for security holes, they’ll find nothing, get frustrated, and quickly realize that they should move on to websites operated by those who don’t pay so much attention to Web application security flaws. Mike Shema is Security Research Engineer, Qualys Inc