Website security is today’s most overlooked aspect of securing the enterprise and should be a priority in any organization.
Increasingly, hackers are concentrating their efforts on web-based applications – shopping carts, forms, login pages, dynamic content, etc. Accessible 24/7 from anywhere in the world, insecure web applications provide easy access to backend corporate databases and also allow hackers to perform illegal activities using the attacked sites.
A victim’s website can be used to launch criminal activities such as hosting phishing sites or to transfer illicit content, while abusing the website’s bandwidth and making its owner liable for these unlawful acts.
Hackers already have a wide repertoire of attacks that they regularly launch against organizations including SQL Injection, Cross Site Scripting, Directory Traversal Attacks, Parameter Manipulation (e.g., URL, Cookie, HTTP headers, web forms), Authentication Attacks, Directory Enumeration and other exploits.
Web applications – shopping carts, forms, login pages, dynamic content, and other bespoke applications – are designed to allow your website visitors to retrieve and submit dynamic content including varying levels of personal and sensitive data.
If these web applications are not secure, then your entire database of sensitive information is at serious risk. A Gartner Group study reveals that 75% of cyber-attacks are done at the web application level.
Why are web applications vulnerable?
- Websites and web applications are easily available via the internet 24 hours a day, 7 days a week to customers, employees, suppliers and therefore also hackers.
- Firewalls and SSL provide no protection against web application hacking, simply because access to the website has to be made public.
- Web applications often have direct access to backend data such as customer databases.
- Most web applications are custom-made and, therefore, involve a lesser degree of testing than off-the-shelf software. Consequently, custom applications are more susceptible to attack.
- Various high-profile hacking attacks have proven that web application security remains the most critical. If your web applications are compromised, hackers will have complete access to your backend data even though your firewall is configured correctly and your operating system and applications are patched repeatedly.
Network security defense provides no protection against web application attacks since these are launched on port 80 which has to remain open to allow regular operation of the business. It is therefore imperative that you regularly and consistently audit your web applications for exploitable vulnerabilities.
Why Web Application Security Should be Part of Your Web Risk Management Program?
There are many reasons your organization should identify and address web application security vulnerabilities as part of your web risk management program:
- Reduce Cost of Recovery and Fixes — Computer security attacks cost as much as $10 billion a year.
- Ensure Customer Trust — Trust is a key component to customer adoption and retention.
- Encourage Website Adoption — Consumers are still not adopting websites as a preferred channel for doing business. The Tower Group cited that 26 percent of customers don’t use online banking for security fears and another 6 percent do not due to privacy issues.
- Maintain Competitive Advantage — Many organizations are using trust as a key competitive advantage and are leveraging customer fears to proactively implement security and privacy programs to ease the uncertainty.
- Reduce Cost of Manual and Outsourced Security Testing — Many organizations today, especially ones in regulated industries, test security using costly manual processes that cannot address all potential website risks. Other organizations spend millions on outsourced security assessment and ethical hacking resources.
Browser-based attacks use flaws in the web-based application code. Software most vulnerable to these types of attacks includes:
- User interface code — provides the look and feel of the site
- Web server — supports the physical communication between the user’s browser and the web applications
- Front-end applications — interfaces directly with the user interface code, and back-end systems
Example scenarios in which a web site is compromised:
Examples of vulnerabilities
What hackers use it for
1. Cookie Poisoning
Identity theft/ Session Hijack
2. Hidden Field Manipulation
3. Parameter Tampering
4. Buffer Overflow
Denial of Service/ Closure of Business
5. Cross-Site Scripting
Hijacking/ Identity Theft
6. Backdoor and Debug Options
7. Forceful Browsing
Breaking and Entering
8. HTTP Response Splitting
Phishing, Identity Theft and eGraffiti
9. Stealth Commanding
10. 3rd Party Misconfiguration
Debilitating a Site
11. Known Vulnerabilities
Taking control of the site
12. XML & Web Services Vulnerabilities
New layers of attack vectors & malicious use
13. SQL Injection
Manipulation of DB information
How do these Vulnerabilities Affect Your Customers?
Your customers can be affected in a variety of ways: from identity theft to session hijacking to the compromise of confidential and private customer data. Cross-Site Scripting (XSS) is one of the leading methods used in identity theft (and an obvious concern to financial and healthcare institutions); it attacks the user via a flaw in the website that enables the attacker to gain access to login and account data from the user. Many of the phishing email-based schemes use cross-site scripting and other application layer attacks to trick users into giving up their credentials.
SQL injection is one of the main attacks used when backend databases are compromised. General consensus has pegged SQL injection as the method used behind the massive compromise of credit card numbers in February of last year. We still see many cases where cookies aren’t properly secured, allowing an attacker to ‘poison’ the cookie, hijack active sessions or manipulate hidden fields to defraud ecommerce sites. As web applications become more pervasive and more complex, so do the techniques and attacks hackers are using against them. Recent new vulnerabilities and attack methods discovered or reported show an alarming trend toward attacks with multi-faceted damages and even anti-forensics capabilities. This means hackers are using more powerful attacks to cause significantly more damage, while at the same time covering their tracks is becoming easier.
Service allows you to identify more vulnerabilities than other Web Application Scanners, whilst generating less false positives. It indicates exactly where in your code the vulnerability is and reports additional debug information which is handy.
Advantages of using our service technology
- Ability to provide more information about the vulnerability, such as source code line number, stack trace, affected SQL query.
- Allows you to locate and fix the vulnerability faster because of the ability to provide more information about the vulnerability, such as source code line number, stack trace, affected SQL query, etc.
- Significantly reduces false positives when scanning a website because it understands the behavior of the web application better.
- Alerts you of web application configuration problems which can result in a vulnerable application or expose sensitive information. E.g. If ‘custom errors’ are enabled in .NET, this could expose sensitive application details to a malicious user.
- Advises you how to better secure your web server settings, e.g. if write access is enabled on the web server.
- Detects more SQL injection vulnerabilities. Previously SQL injection vulnerabilities could only be found if database errors were reported, whereas now the source code can be analyzed for improve detection
- Ability to detect SQL Injection vulnerabilities in all SQL statements, including in SQL INSERT statements. Using a black box scanner such SQL injection vulnerabilities cannot be found.
- Discovers all the files present and accessible through the web server. If an attacker gains access to the website and creates a backdoor file in the application directory, the file is found and you will be alerted.
- No need to write URL rewrite rules when scanning web applications which use search engine friendly URL’s! Our service can rewrite SEO URL’s on the fly.
- Ability to test for arbitrary file creation and deletion vulnerabilities. E.g. Through a vulnerable script a malicious user can create a file in the web application directory and execute it to have privileged access, or delete sensitive web application files.
- Ability to test for email injection. E.g. A malicious user may append additional information such as a list or recipients or additional information to the message body to a vulnerable web form, to spam a large number of recipients anonymously.