WEB
APPLICATION SECURITY: A LOOMING THREAT
INTRODUCTION
Web applications are ubiquitous and a way of life for any user
of the Internet. Information exchange is the new lifeblood of the 21st century.
We check our bank balances, order books, make hotel reservations and purchase
airline tickets all on-line. We trust our vendors with our credit card numbers,
social security numbers, bank account information, birth dates and other personal
information with the implicit trust that access to our data is tightly controlled
-- only those persons with the right to view data may view it and that the right
safeguards are in place. Or so we think.
The truth of the matter is that Web applications are highly
insecure. The Gartner Group estimates that 75% of all information security attacks
are targeted at Web applications, while the International Computer Security
Association (ICSA) estimates this at over 66%. A different industry estimate
puts 97% of all Web sites as vulnerable to some kind of attack. The FBI reports
that businesses lose $6.6 million on average each time proprietary information
is stolen (including costs of research, development and branding). The September
11th tragedy only magnifies the possible dangers. All kinds of American corporate
and governmental icons are subject to a new kind of Terrorism: Info-terrorism.
A May 2002 report by the US Congress Joint Economic Committee entitled "Security
in the Information Age" paints a bleak assessment of the potential readiness
of our nation's information security systems and calls for urgent remediation.
For individual corporations and organizations doing any kind
of business on the Web, the damage can be monumental. Loss of revenue, loss
of customer and partner confidence, litigation, and brand damage are but a few
possible consequences of exposure. Moreover, a targeted, well-designed simultaneous
attack on leading American corporations could literally bring the economy to
its knees. We simply cannot be complacent about the threat. It is very real
and it is here.
WHY ARE WEB APPLICATIONS INSECURE?
A Web application is a complex interaction of operating systems,
databases, Web servers, application servers, hardware, network protocols and
programming logic. In general, Web applications conform to a three-tier architecture:
Presentation, Application, and Data.
The Presentation tier is responsible for presenting data to
the end user in a readable format.
The user may also interact with the application by changing or sending parameters
back to the Presentation software. Software in the Presentation tier includes
Web servers such as the open source Apache and Microsoft's Internet Information
Server (IIS), and browsers such as Netscape Navigator and Internet Explorer.
The Application tier is the "engine" of a Web application.
It performs the business logic such as processing input, making decisions, obtaining
more data, and sending all this to the Presentation tier. Popular software at
the Application tier includes "App servers" such as IBM's WebSphere,
BEA Systems' WebLogic and the open source products JBOSS and Tomcat.
Finally, the Data tier acts as a repository for data required
by the Web application and stores both temporary and permanent data. Typical
data stores are relational database management systems.
Building a Web application then is typically a collaborative
effort that involves Web graphic designers, HTML coders, Macromedia flash programmers,
Java developers, legacy code keepers, network gurus and database experts. This
very complexity usually consigns security issues to the back seat. For example,
a graphic designer's imperative is to blend form with function and, for most
designers, security is less a function than a feature. Network administrators
focus on keeping the "network" clean by installing mechanisms such
as firewalls and intrusion detection systems. The task of securing of the application
itself is most often the job of the lead developer -- typically someone versed
in business logic programming and not security. The finished Web site is an
agglomeration of ideas and code from several parties most of whom do not consider
application security a design priority.
A second major reason for the fallibility of Web applications
is the application design itself. A typical specification will be reviewed in
three major classes: Software Quality Assurance, Business Logic Usability, and
Security. Unfortunately the Security design is usually tested for normal use
and not with the intent to prevent hacking (highly abnormal use). For example,
the specification will typically specify that incorrectly entered fields will
generate an error message. This, however, is far from rigorous stress testing
against malicious entry or even accidental errors spawned outside the realm
of every-day use.
Finally, Web applications are insecure simply because they
are a recent phenomenon. In the early days of the Web, sites were mostly informative
and conducting transactions was a novelty. As the Application server became
widely deployed, the rush to provide transactional services and the associated
requirements of critical customer information was in full swing. Most of these
new transaction based Web applications were deployed in the 1998 - 2001 time
frame. No other major mission critical computing infrastructure has been deployed
as quickly -- not the mainframe, minicomputer, the LAN, or even the personal
computer. Thus the very immaturity of Web applications, an insufficient rigor
in most initial application design specifications, and the complex, collaborative
nature of Web application development and deployment collectively create vast
potential vulnerabilities.
By comparison, the traditional types of information security
categories require relatively simple, well-tested precautions. At the desktop
for example, anti-virus products from companies such as Symantec and Network
Associates are simple to buy and easy to deploy. At the transport level, encryption
products provided by Cisco, Checkpoint and others, and authentication mechanisms
from firms such as Entrust and Verisign can adequately protect data in transit.
At the Network layer three types of products -- Firewalls, Intrusion Detection
Software, and Vulnerability scanners -- also have a record of good performance.
Indeed, most American companies now use all three classes of security products
quite diligently and have incorporated these into their security defense arsenals.
Web applications, however, remain at considerable risk. There
is no "standard" off the shelf product to remedy the intricate bundling
of Java, JavaScript, applets and HTML coding, platform configuration, graphic
design and deployment, all of which work in concert to form a Web application.
In fact, by using Web based applications as a back door, malicious users can
easily circumvent the carefully prepared defenses at the Desktop, Transport
and Network layers.
TYPES OF WEB APPLICATION ATTACKS
The sheer number of Web application attack types is staggering.
Examples by class include:
- Attacks on the Web server. Since Web servers manage requests
including items such as printing resources, hackers often send "piggy
back" commands to gain Web server configuration parameters.
- Attacks of authentication mechanisms. These include automated
password guessing attacks and spoofing tokens within a cookie by injecting
a script, and SQL code injection to bypass password authentication.
- Attacks of authorization schemes. Many of these typically
include obtaining an escalation of privileges or obtaining access to arbitrary
files. Methods involved include requesting hidden objects using guessable
names or tunneling privileged commands to the database server.
- Attacking session state management. Sessions need to be
tracked especially for transactions, shopping preferences roles and so on.
Attacks can include replaying state information to capture new privileges,
or modifying the state information.
- Client attacks. Many different vectors can be used to stage
attacks from clients. For example, comments hidden in HTML source code contain
useful information about the server and can be easily exposed. Java Script
objects and Active X controls, both of which can embed powerful tools for
manipulating client side interfaces, are obvious sore spots. A major class
of client attack is dubbed "Input Validation". Data inputs can attack
an application in various ways. A forced error in page execution may generate
informational errors that reveal SQL entries such as tables and directory
paths. Irregular inputs may also run command execution characters that run
arbitrary commands on, say, a UNIX web server. Cross-site scripting attacks
place malicious code in locations where others can see the results. The malicious
code might prompt users to place passwords in the designated area. Finally,
buffer overflows involve throwing as much as possible against a single variable
or field. The result may be an application crash, or an execution of arbitrary
commands.
- Systems Management interface attacks. These can span Web
server administration, Web content management, and Web based network and system
management. The use of Telnet, a cleartext protocol used by some for remote
Web-server management, is especially vulnerable to sniffing. Web content management
hackers use mechanisms that connect the Web Server over the Internet such
as FTP, Secure Shell (SSH) or even proprietary Microsoft protocols. Finally,
there are Web based management interfaces in hardware products that can serve
as portals for attack.
NEW TOOLS: ARE THEY ENOUGH?
Recognizing the huge gap in application level security, several
companies have developed application scanning tools to spot and fill in security
vulnerabilities. Sanctum, Inc provides one such tool called AppScan that scans
a Web application to expose its holes. The tool is highly proficient at exposing
items such as:
- Parameter tampering;
- Hidden field manipulation;
- Forceful browsing;
- Poorly configured web servers;
- Stealth commanding; and
- Cross-site scripting.
- SQL injection
However, in our experience, even the smartest tools require
additional measures to ferret out security vulnerabilities. Much of the problem
lies in the initial application design and subsequent code writing practices
especially at the server level. Thus what is required is a comprehensive approach
(including tools) for identifying Web application security exposures. What is
required is a set of experts steeped in:
- Application architecture of complex, mission-critical systems;
- Application integration using a wide
range of programming tools, Web servers, Appservers, databases
and networks; and in,
- Code remediation. That is, technical developers and architects
who perform exhaustive manual and automated checks through source code to
spot deviances in secure programming practices.
The Primeon process for conducting analysis and remediation
of Web applications typically includes:
- A review of the application architecture
- Code quality assurance review
- Application testing under normal conditions using scanning
tools like AppScan
- Application testing under unexpected or abnormal conditions
- Host OS and Applications server vulnerability testing
- Collaborative review with the client to determine the scope
of the problem
- Application remediation or vulnerability resolution
- Application re-architecting (if necessary)
- New application coding (if necessary)
- New code quality review (if necessary)
- Informing clients of new security vulnerabilities (ongoing)
CONCLUSION
Web application security is a current and looming threat
for almost any company with a Web presence. While nothing is ever fully secure,
only a thorough assessment and subsequent remediation can give mission-critical
web applications the necessary and high level of security. If Web application
security is not made a proactive priority within IT, then CEOs, CTOs and CIOs
will be staving off indictments from customers, investors, partners, and yes,
even the Government.
Primeon provides
comprehensive Web application security solutions. Its DeepSource Solutions
offering combines leading 3rd party Web security tools and Primeon's application
analysis and remediation best practices, financial services domain knowledge,
and world-class application engineers to ensure consistently optimal outcomes.
Primeon has conducted comprehensive analysis and remediation of hundreds of
enterprise applications and over 400 million lines of code since 1995. System
environments have included every imaginable operating system, database, programming
language, Web server and application server.
Contact info: info@primeon.com or 888.394.5225.
|