Web apps remain a trouble spot

By George Hulme 05 Feb 2007 | SearchSecurity.com

Digg This!     StumbleUpon     Del.icio.us

"Cross-site scripting is all over the place; it's like the plague right now." Jeremiah Grossman,  WhiteHat's chief technology officer

Statistics back this up. Symantec said in its most recent Internet Security Threat Report that Web vulnerabilities constituted 69 percent of 2,249 new vulnerabilities the company documented for the first half of 2006, with 78 percent of "easily exploitable" vulnerabilities residing within Web applications. Mitre Corp.'s September tally of publicly disclosed vulnerabilities mirror those findings, with cross-site scripting vulnerabilities surpassing buffer overflows as the most reported vulnerability. Four of the top five vulnerabilities were within Web applications, development platforms, or databases often directly exposed to the Internet. Some other common and devastating problems include SQL injection vulnerabilities, directory transversal attacks, and PHP includes.

Experts warn that Web application attacks are going to escalate before security catches up. Johannes Ullrich, SANS Institute chief research officer, predicts 2007 will be peppered with major Web application-related security incidents where criminals overtake trusted Web sites to steal financial or other sensitive information.

The threats are changing. Chatty spyware and rapidly spreading worms have given way to more clandestine exploits designed to silently pilfer information from Web applications, or change prices on e-commerce sites. Then there's malware that silently infects Web servers and site visitors.

"The attackers have learned that highly aggressive scanning and propagation techniques don't yield more exploited hosts in the end," said Ullrich. "They'd rather infect a popular Web server with browser exploits and then quietly infect visitors to the site."

What are organizations doing about it? Not enough, said Caleb Sima, founder and chief technology officer at Web application vulnerability scanner provider SPI Dynamics. "It's a bigger problem than many enterprises assume," he said. "Despite years of Web applications being targeted, enterprises and other organizations still aren't doing enough to secure their Web sites and apps."

RSA Conference 2007 Can't make it to the show? SearchSecurity.com staff members are on the RSA floor, on hand to deliver the latest RSA Conference 2007 news and updates.

That assertion is backed by WhiteHat Security's Web Application Security Risk Report, which said eight out of 10 Web sites have vulnerabilities that place them at significant risk of attack. The report, which monitors hundreds of sites each month, found that cross-site scripting, information leakage, and predictable resource location are the top three vulnerabilities. "We've found cross-site scripting in seven out of the 10 Web sites we monitor, and predictable resource location in one out of four," said Jeremiah Grossman, WhiteHat's chief technology officer. "Cross-site scripting is all over the place; it's like the plague right now."

There's no easy way to turn around the problem, Ullrich said. For Web applications and servers already deployed, the best defense is thorough scanning with a Web application security scanner. Also, watch logs and deploy intrusion detection sensors. "When it comes to custom applications, many attacks and exploits are not straightforward, and they often need multiple attempts to succeed. This is something IDS will pick up," Ullrich said.

In fact, most experts advise periodic scanning with multiple tools designed to identify vulnerabilities at the network layer, application, and misconfigurations. "Even then, you don't always get everything. Some errors involving [business logic] require human analysis," said WhiteHat's Grossman.

Amol Sarwate, vulnerability lab manager at Qualys, said continuous awareness training may be one of the best defenses. "The development and attacker techniques are always evolving, changing. That's why new and even experienced developers need to stay informed, and get educated about secure development," he said. Sarwate points to the Open Web Application Security Project (OWASP) as a good starting point for learning about Web application security.

John Pescatore, security analyst at Gartner, is surprised about some facets of the spate of Web application vulnerabilities. "We had many of these problems in the early days of the Internet," he said. "It's amazing how we are repeating the same old mistakes, and the bad guys will inevitably play around with, and take advantage, of them."

<< Return to our special coverage of RSA Conference 2007

Tags: Web Application Security,  Application Attacks (Buffer Overflows, Cross-Site Scripting),  Emerging Information Security Threats,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Web Application Security nCircle statistics show rising Web application vulnerabilities Twitter bugs, DNSSEC and broswer security Month of Twitter Bugs project to document Twitter flaws Are Web application penetration tests still important? IT pros can detect, prevent website vulnerabilities, thwart attacks PCI compliance requirement 6: Systems and applications Trust eroding as social engineering attacks climb in 2009, says Kaspersky expert US-CERT warns of Gumblar, Martuz drive-by exploits XSS bugs, information leakage top list of website vulnerabilities How to find and stop automated SQL injection attacks Application Attacks (Buffer Overflows, Cross-Site Scripting) PCI management: The case for Web application firewalls Month of Twitter Bugs project to document Twitter flaws Adobe issues first quarterly patch release fixing 13 flaws Balancing security and performance: Protecting layer 7 on the network Adobe issues Reader update fixing zero-day flaw The Pipe Dream of No More Free Bugs Security Squad: Federal cybersecurity defenses Oracle issues 43 updates, fixes serious database flaws Attackers target new Microsoft PowerPoint zero-day flaw How to detect input validation errors and vulnerabilities Application Attacks (Buffer Overflows, Cross-Site Scripting) Research Emerging Information Security Threats Antispyware buying guide for Indian enterprises ATM malware lets attackers take over machines FTC shutters rogue ISP for hosting malicious content, botnets The failing war against cybercriminals White House cybersecurity czar faces major hurdles Cybercrime and threat management The Pipe Dream of No More Free Bugs Face-off: Who should be in charge of cybersecurity? Federal efforts to secure cyberinfrastrucure Adobe working on patch to correct new zero-day flaw

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary anonymous Web surfing  (SearchSecurity.com) buffer overflow  (SearchSecurity.com) cache cramming  (SearchSecurity.com) cookie poisoning  (SearchSecurity.com) dictionary attack  (SearchSecurity.com) distributed denial-of-service attack  (SearchSecurity.com) JavaScript hijacking  (SearchSecurity.com) National Computer Security Center  (SearchSecurity.com) threat modeling  (SearchSecurity.com) trigraph  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary