How can I show or illustrate to our management the potential seriousness of Web application attacks? Obviously I can’t attack my own applications, but are there resources that depict the step-by-step events that take place once an attacker exploits an application and what types of data can be stolen?
Currently the number of vulnerabilities being discovered in applications is far greater than the number of vulnerabilities being discovered in operating systems. These vulnerabilities lead to attacks, such as server-side and client-side HTTP attacks, cross-site scripting and SQL injection attacks. A good resource to help you illustrate to management the potential danger of such attacks would be the SANS Institue’s Top Cyber Security Risks, which includes plenty of graphs clearly showing the scale of the problem.
If you feel management would appreciate a technical explanation of how common Web application attacks work, you can refer to SANS HTTP Client-Side Exploitation example, which offers a real step-by-step attack conducted against an organization that resulted in the loss of critical data for the organization. Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) User Guide also contains some illustrated examples of various attacks, and how EMET can prevent them. The Open Web Application Security Project (OWASP) website is another good resource for detailed descriptions of how various attacks work, such as buffer overflows.
Further statistics or reports of real Web applications attacks can be found on the FBI’s cybercrime website, which provides plenty of up-to-date reports on the activities of cybercriminals that you can use to highlight the need to secure your own Internet-facing applications. An important point to get across is that many attacks are coming from sophisticated and well-organized criminal gangs working on a global scale. Take the case of one criminal enterprise that used hackers to break through an encrypted system and steal account numbers and PIN codes. They then produced more than 400 fake ATM cards, recruited hundreds of mules spread out in 280 cities around the world and in less than 24 hours made over 14,000 ATM transactions totaling nearly $10 million.
For a more dramatic demonstration of the need for strong perimeter defenses and secure application development, create a Web application security test attack on your own application. The safest method would be to run the application in a virtual test lab and use a tool, such as Metasploit to attack it. If you discover a vulnerability, then a proof-of-concept payload could be used to show how an attacker could set up a reverse shell or other backdoor into the application and system on which it runs. Using Metasploit to attack a live application requires careful planning, but under controlled conditions would allow you to demonstrate how a vulnerability in your own application could be exploited. Please remember that any sort of penetration test or Web application test attack should always be authorized by key executives, managers or other stakeholders in order to reduce any effect on standard business operations.
This was first published in October 2010