Finding and blocking Web application server attack vectors

Listen to this Threat Monitor tip Download Peter Giannoulis' Web application server advice to your PC or favorite MP3 player.

Why are Web application servers targets for attack? They are publicly accessible and tie into back-end database servers, which store a gold mine of information for criminals. How are attackers' cracking into back-end database servers using front-end Web applications? Here are a few of the most popular methods.

SQL injection
SQL injection attacks are becoming a popular vector for stealing confidential information on the Internet. An SQL injection involves an attacker inputting a SQL query in a search field of a Web form. If the query is accepted by the Web application, it's passed to the back-end database where it's executed, if read/write access is granted from the Web application to the database server. This could result in two scenarios; the attacker viewing the contents of the database, or deleting the contents of the database. Neither instance is good.

Contrary to popular belief, SQL injection attacks do not require advanced knowledge. In essence, these attacks can be performed by anybody with a basic understanding of SQL and a list of queries that are available on the Internet.

For more information Ensure that your personal information is being protected while using a Secure SSL connection. For more information about Web server security, visit SearchSecurity.com's Web server security resource center. In SearchSecurity.com's Intrusion Defense School, learn about your organization's vulnerability to viruses, attacks and other threats.

Blind SQL injection
Blind SQL injection is another method of launching attacks, but with a slightly different approach. When performing a standard SQL injection, an attacker inserts a SQL query into a Web application, hoping it will cause the server to return an error message. These error messages can grant the attacker the necessary knowledge needed to perform a more precise attack. Database administrators have been led to believe that sanitizing error messages would correct the underlying issue that caused SQL injection. What administrators have failed to realize is that although this conceals the error message, the vulnerability still exists. It's a tad tougher for the attacker, but instead of using error messages to gather information, the attacker flies blind and sends crafted SQL queries to the server, hoping to gain access to the database.

Cross-site scripting
Cross-site scripting, otherwise known as XSS or CSS, is a technique used by malicious hackers to compromise vulnerabilities in a Web application that serves dynamic Web pages. Many of today's Web sites are serving up dynamic pages that consist of information from multiple sources built "on-the-fly" for the user. If the webmaster is not careful, malicious content can be injected into the Web page to gather confidential material or simply execute on users' systems.

Countermeasures
There are many countermeasures for thwarting Web application server attacks. Awareness is definitely among the most important. Many organizations are focusing on the preventative measures that need to be applied without trying to learn how these attacks are performed. Not understanding how Web application server attacks work makes countermeasures ineffective, and simply tossing firewalls and intrusion prevention systems at the problem won't help. For instance, if your Web application server is not filtering user input, you can easily be subjected to the types of attacks mentioned above.

Another key to staying ahead of attackers is to conduct a thorough audit of your Web applications on a regular basis. Johannes Ullrich wrote a great article on how to audit your Web application over lunch using some simple techniques and Firefox plug-ins.

About the author
Peter Giannoulis, GSEC, GCIH, GCIA, GCFA, CISSP, is an information security consultant for Access 2 Networks, a Toronto, Ontario based security consulting firm. He also serves as a technical director for GIAC.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. BROWSE BY TAG Threat Monitor,   Application and Platform Security,   Application Attacks (Buffer Overflows, Cross-Site Scripting),   Web Security Tools and Best Practices,   Web Server Threats and Countermeasures,   Web Application and Web 2.0 Threats,   VIEW ALL TAGS Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Threat Monitor Cut down on calls to help desk with cybersecurity awareness training How to detect software tampering How to prevent phishing attacks with social engineering tests An enterprise strategy for Web application security threats How SSL-encrypted Web connections are intercepted How a corporate Twitter policy can combat social network threats Cyberwarfare and the enterprise: Is the threat real? Software security threats and employee awareness training Newest malware threats How to defend against rogue DHCP server malware Application Attacks (Buffer Overflows, Cross-Site Scripting) Quiz: How to build secure applications Black box and white box testing: Which is best? Adobe warns of critical update for Reader, Acrobat 9.1.3 9 Ways to Improve Application Security After an Incident Developers Need Help with Security Errors Buffer overflow tutorial: How to find vulnerabilities, prevent attacks SQL injection protection: A guide on how to prevent and stop attacks Experts rebuke programmers who use SQL injection as feature SANS: Application threats, website flaws pose biggest security threats Mozilla helps Adobe push out faster patches Application Attacks (Buffer Overflows, Cross-Site Scripting) Research Web Server Threats and Countermeasures Increase in Gumblar backdoors poses FTP credential problems VeriSign extends DDoS attack protection service Microsoft issues IIS FTP advisory, exploit code circulates Panda reports fast-spreading rogueware antivirus fraud rakes in millions Oracle issues quarterly patches, fixes database flaws Latest DDoS attacks extremely unsophisticated, experts say Stolen FTP credentials likely in massive website attacks Microsoft warns of IIS zero-day vulnerability How to find and stop automated SQL injection attacks How to spot attacks through Apache Web server log analysis RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary buffer overflow  (SearchSecurity.com) cache poisoning  (SearchSecurity.com) cyberterrorism  (SearchSecurity.com) dictionary attack  (SearchSecurity.com) directory harvest attack  (SearchSecurity.com) distributed denial-of-service attack  (SearchSecurity.com) JavaScript hijacking  (SearchSecurity.com) ping of death  (SearchSecurity.com) stack smashing  (SearchSecurity.com) SYN flooding  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.