Web Application Self Defence
Welcome back, we hope you had a very good break!
It’s the start of a new year, and as normal, there are the usual predictions of the next “big thing”. For us, we are expecting to see a continued steep increase in web application based attacks and testing.
 We are not the only ones to see this trend. According to SANS, attacks against web applications constitute more than 60% of the total attack attempts observed on the Internet. Web application vulnerabilities such as SQL injection and Cross-Site scripting flaws in open-source as well as custom-built applications account for more than 80% of the vulnerabilities being discovered. Despite the enormous number of attacks and widespread publicity about these vulnerabilities, most web site owners fail to effectively address these common flaws and unwittingly become pawns in the overall Internet threat landscape.
This often leads to cyber criminals being able to infect visitors that trust these sites.
Application attacks are also by far the easiest method for somebody outside of your organisation to gain unauthorised access to confidential data - and to your inner systems. This creates a difficult problem for security administrators. Traditional network based encryption, Intrusion detection and prevention systems struggle to detect or prevent application layer attacks. For example, it is increasingly difficult to detect application and business logic attacks through the network as these attacks use valid and perfectly acceptable communications to and from the web server. It has become vital for developers to code substantial levels of self defence in to their applications.
Below are a few high level solutions which allow web applications to protect themselves from attack.
Firstly, an application must be designed to protect all data that is passed between the browser and web server. Unfortunately, this is not as simple as implementing SSL. As discussed in previous articles, it is quite possible to subvert the protection provided by SSL inside the end-user’s network. Once SSL has been removed, it is often trivial to view confidential data being passed to and from the browser such as "username=****" and "password=****". It is essential that the application at least encodes, or preferably encrypts all data within the browser prior to transmission to the web server. This way, even when SSL has been subverted, there is an extra layer of protection on confidential data being transmitted across the Internet.
Secondly, the application must identify the difference between the various errors users may generate. If an error is deemed dangerous, the user’s session must be terminated in order to prevent any further attacks. For example, if the application only used Get requests to transfer data, a Post request can only be made through direct tampering with the data, and hence is highly likely to be a malicious user. Other examples may be attempted concurrent sessions from different IP addresses - this indicates that a Session Hijacking attack is being attempted. Or if a malicious user attempts to access a resource directly through the URL variable, the application should be able to identify the modification and refuse access.
Thirdly - and although not strictly covered by the theme of this article - it would be very remiss of us not to include server side validation. The best defence for attacks such as Cross Site Scripting, SQL Injection, Cross Site Forgery and Click Jacking is to correctly perform input and output validation at the backend servers. Applications that allow malicious scripts or HTML code to be stored in the back end databases are guaranteed to be exploited. Characters such as < > ' " = / should never be accepted, and if the user attempts to enter them, the application should return an error message to the user. If repeated attempts are made at entering invalid characters is made, then it is more likely that the user is attempting to perform an attack, and infringing session should be terminated.
With so many critical business processes being hosted by web sites and applications, it is becoming ever more vital for developers to code in a secure manner, and to ensure that the application they are creating isn’t going to be the one that allows the bad guys in.
Bill Robson is e-Sentinel’s lead Penetration Tester and over the past decade has assessed the security of some of the largest corporations in the UK and Australia. His passion for information security keeps him on the leading edge of security research and trends in the connected world.
If you have any queries or concerns about the security of your current web site, web applications or about secure application development, please contact us at e-Sentinel.
e-Sentinel is one of Australia’s most trusted, independent providers of information assurance and computer system validation solutions working with clients in passenger air transport, medical, pharmaceutical, manufacturing, critical infrastructure, finance, banking and gaming.
|
