How can I show or illustrate to our management the potential seriousness of Web application attacks? Obviously...
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
I can’t attack my own applications, but are there resources that depict the step-by-step events that take place once an attacker exploits an application and what types of data can be stolen?
Currently the number of vulnerabilities being discovered in applications is far greater than the number of vulnerabilities being discovered in operating systems. These vulnerabilities lead to attacks, such as server-side and client-side HTTP attacks, cross-site scripting and SQL injection attacks. A good resource to help you illustrate to management the potential danger of such attacks would be the SANS Institue’s Top Cyber Security Risks, which includes plenty of graphs clearly showing the scale of the problem.
If you feel management would appreciate a technical explanation of how common Web application attacks work, you can refer to SANS HTTP Client-Side Exploitation example, which offers a real step-by-step attack conducted against an organization that resulted in the loss of critical data for the organization. Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) User Guide also contains some illustrated examples of various attacks, and how EMET can prevent them. The Open Web Application Security Project (OWASP) website is another good resource for detailed descriptions of how various attacks work, such as buffer overflows.
Further statistics or reports of real Web applications attacks can be found on the FBI’s cybercrime website, which provides plenty of up-to-date reports on the activities of cybercriminals that you can use to highlight the need to secure your own Internet-facing applications. An important point to get across is that many attacks are coming from sophisticated and well-organized criminal gangs working on a global scale. Take the case of one criminal enterprise that used hackers to break through an encrypted system and steal account numbers and PIN codes. They then produced more than 400 fake ATM cards, recruited hundreds of mules spread out in 280 cities around the world and in less than 24 hours made over 14,000 ATM transactions totaling nearly $10 million.
For a more dramatic demonstration of the need for strong perimeter defenses and secure application development, create a Web application security test attack on your own application. The safest method would be to run the application in a virtual test lab and use a tool, such as Metasploit to attack it. If you discover a vulnerability, then a proof-of-concept payload could be used to show how an attacker could set up a reverse shell or other backdoor into the application and system on which it runs. Using Metasploit to attack a live application requires careful planning, but under controlled conditions would allow you to demonstrate how a vulnerability in your own application could be exploited. Please remember that any sort of penetration test or Web application test attack should always be authorized by key executives, managers or other stakeholders in order to reduce any effect on standard business operations.
Dig Deeper on Web Application Security
Related Q&A from Michael Cobb
Oracle has moved from using a modified version of CVSS v2.0 to CVSS v3.0. Expert Michael Cobb explains criticism of the old version, and the changes ...continue reading
QuickTime for Windows was found to have two zero-day vulnerabilities, and was then suddenly moved to end of life by Apple. Expert Michael Cobb ...continue reading
Google's second Android Security Report revealed changes and upgrades made to the OS. Expert Michael Cobb covers the important takeaways for ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.