Web apps remain a trouble spot

By George Hulme 05 Feb 2007 | SearchSecurity.com

Digg This!     StumbleUpon     Del.icio.us

"Cross-site scripting is all over the place; it's like the plague right now." Jeremiah Grossman,  WhiteHat's chief technology officer

Statistics back this up. Symantec said in its most recent Internet Security Threat Report that Web vulnerabilities constituted 69 percent of 2,249 new vulnerabilities the company documented for the first half of 2006, with 78 percent of "easily exploitable" vulnerabilities residing within Web applications. Mitre Corp.'s September tally of publicly disclosed vulnerabilities mirror those findings, with cross-site scripting vulnerabilities surpassing buffer overflows as the most reported vulnerability. Four of the top five vulnerabilities were within Web applications, development platforms, or databases often directly exposed to the Internet. Some other common and devastating problems include SQL injection vulnerabilities, directory transversal attacks, and PHP includes.

Experts warn that Web application attacks are going to escalate before security catches up. Johannes Ullrich, SANS Institute chief research officer, predicts 2007 will be peppered with major Web application-related security incidents where criminals overtake trusted Web sites to steal financial or other sensitive information.

The threats are changing. Chatty spyware and rapidly spreading worms have given way to more clandestine exploits designed to silently pilfer information from Web applications, or change prices on e-commerce sites. Then there's malware that silently infects Web servers and site visitors.

"The attackers have learned that highly aggressive scanning and propagation techniques don't yield more exploited hosts in the end," said Ullrich. "They'd rather infect a popular Web server with browser exploits and then quietly infect visitors to the site."

What are organizations doing about it? Not enough, said Caleb Sima, founder and chief technology officer at Web application vulnerability scanner provider SPI Dynamics. "It's a bigger problem than many enterprises assume," he said. "Despite years of Web applications being targeted, enterprises and other organizations still aren't doing enough to secure their Web sites and apps."

RSA Conference 2007 Can't make it to the show? SearchSecurity.com staff members are on the RSA floor, on hand to deliver the latest RSA Conference 2007 news and updates.

That assertion is backed by WhiteHat Security's Web Application Security Risk Report, which said eight out of 10 Web sites have vulnerabilities that place them at significant risk of attack. The report, which monitors hundreds of sites each month, found that cross-site scripting, information leakage, and predictable resource location are the top three vulnerabilities. "We've found cross-site scripting in seven out of the 10 Web sites we monitor, and predictable resource location in one out of four," said Jeremiah Grossman, WhiteHat's chief technology officer. "Cross-site scripting is all over the place; it's like the plague right now."

There's no easy way to turn around the problem, Ullrich said. For Web applications and servers already deployed, the best defense is thorough scanning with a Web application security scanner. Also, watch logs and deploy intrusion detection sensors. "When it comes to custom applications, many attacks and exploits are not straightforward, and they often need multiple attempts to succeed. This is something IDS will pick up," Ullrich said.

In fact, most experts advise periodic scanning with multiple tools designed to identify vulnerabilities at the network layer, application, and misconfigurations. "Even then, you don't always get everything. Some errors involving [business logic] require human analysis," said WhiteHat's Grossman.

Amol Sarwate, vulnerability lab manager at Qualys, said continuous awareness training may be one of the best defenses. "The development and attacker techniques are always evolving, changing. That's why new and even experienced developers need to stay informed, and get educated about secure development," he said. Sarwate points to the Open Web Application Security Project (OWASP) as a good starting point for learning about Web application security.

John Pescatore, security analyst at Gartner, is surprised about some facets of the spate of Web application vulnerabilities. "We had many of these problems in the early days of the Internet," he said. "It's amazing how we are repeating the same old mistakes, and the bad guys will inevitably play around with, and take advantage, of them."

<< Return to our special coverage of RSA Conference 2007

Tags: Web Application Security,  Application Attacks (Buffer Overflows, Cross-Site Scripting),  Emerging Information Security Threats,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Web Application Security Using unique device identification for bank website security Information security book excerpts and reviews Black box and white box testing: Which is best? InZero Systems launches hardware-based security gateway Web application vulnerability assessment shows patching progress Preventing SQL injection attacks: A network admin's perspective Cisco acquires SaaS security vendor ScanSafe Web application firewall use goes beyond compliance, company finds Gumblar Trojan drive-by exploits spike following Adobe update Some Facebook applications lead to Russian attack sites Application Attacks (Buffer Overflows, Cross-Site Scripting) Information security book excerpts and reviews Quiz: How to build secure applications Black box and white box testing: Which is best? Adobe warns of critical update for Reader, Acrobat 9.1.3 9 Ways to Improve Application Security After an Incident Developers Need Help with Security Errors Buffer overflow tutorial: How to find vulnerabilities, prevent attacks SQL injection protection: A guide on how to prevent and stop attacks Experts rebuke programmers who use SQL injection as feature SANS: Application threats, website flaws pose biggest security threats Application Attacks (Buffer Overflows, Cross-Site Scripting) Research Emerging Information Security Threats Cybercriminals invest in social networking attacks Best practices for (small) botnets Cybersecurity grant to fund research into critical infrastructure threats RSA security conference 2010: news, interviews and updates Hackers to sharpen malware, malicious software in 2010 Modern malware, stealthy botnets, adapt quickly, expert says New ransomware Trojan pushes victims to buy software Bruce Schneier on outsourcing, awareness training Marcus Ranum on cyberwarfare, infosec careers US-CERT warns of BlackBerry snooping software

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary anonymous Web surfing  (SearchSecurity.com) buffer overflow  (SearchSecurity.com) cache cramming  (SearchSecurity.com) cookie poisoning  (SearchSecurity.com) dictionary attack  (SearchSecurity.com) distributed denial-of-service attack  (SearchSecurity.com) JavaScript hijacking  (SearchSecurity.com) National Computer Security Center  (SearchSecurity.com) threat modeling  (SearchSecurity.com) trigraph  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary