Finding and blocking Web application server attack vectors

Listen to this Threat Monitor tip Download Peter Giannoulis' Web application server advice to your PC or favorite MP3 player.

Why are Web application servers targets for attack? They are publicly accessible and tie into back-end database servers, which store a gold mine of information for criminals. How are attackers' cracking into back-end database servers using front-end Web applications? Here are a few of the most popular methods.

SQL injection
SQL injection attacks are becoming a popular vector for stealing confidential information on the Internet. An SQL injection involves an attacker inputting a SQL query in a search field of a Web form. If the query is accepted by the Web application, it's passed to the back-end database where it's executed, if read/write access is granted from the Web application to the database server. This could result in two scenarios; the attacker viewing the contents of the database, or deleting the contents of the database. Neither instance is good.

Contrary to popular belief, SQL injection attacks do not require advanced knowledge. In essence, these attacks can be performed by anybody with a basic understanding of SQL and a list of queries that are available on the Internet.

For more information Ensure that your personal information is being protected while using a Secure SSL connection. For more information about Web server security, visit SearchSecurity.com's Web server security resource center. In SearchSecurity.com's Intrusion Defense School, learn about your organization's vulnerability to viruses, attacks and other threats.

Blind SQL injection
Blind SQL injection is another method of launching attacks, but with a slightly different approach. When performing a standard SQL injection, an attacker inserts a SQL query into a Web application, hoping it will cause the server to return an error message. These error messages can grant the attacker the necessary knowledge needed to perform a more precise attack. Database administrators have been led to believe that sanitizing error messages would correct the underlying issue that caused SQL injection. What administrators have failed to realize is that although this conceals the error message, the vulnerability still exists. It's a tad tougher for the attacker, but instead of using error messages to gather information, the attacker flies blind and sends crafted SQL queries to the server, hoping to gain access to the database.

Cross-site scripting
Cross-site scripting, otherwise known as XSS or CSS, is a technique used by malicious hackers to compromise vulnerabilities in a Web application that serves dynamic Web pages. Many of today's Web sites are serving up dynamic pages that consist of information from multiple sources built "on-the-fly" for the user. If the webmaster is not careful, malicious content can be injected into the Web page to gather confidential material or simply execute on users' systems.

Countermeasures
There are many countermeasures for thwarting Web application server attacks. Awareness is definitely among the most important. Many organizations are focusing on the preventative measures that need to be applied without trying to learn how these attacks are performed. Not understanding how Web application server attacks work makes countermeasures ineffective, and simply tossing firewalls and intrusion prevention systems at the problem won't help. For instance, if your Web application server is not filtering user input, you can easily be subjected to the types of attacks mentioned above.

Another key to staying ahead of attackers is to conduct a thorough audit of your Web applications on a regular basis. Johannes Ullrich wrote a great article on how to audit your Web application over lunch using some simple techniques and Firefox plug-ins.

About the author
Peter Giannoulis, GSEC, GCIH, GCIA, GCFA, CISSP, is an information security consultant for Access 2 Networks, a Toronto, Ontario based security consulting firm. He also serves as a technical director for GIAC.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Threat Monitor Hidden endpoints: Mitigating the threat of non-traditional network devices Protecting exposed servers from Google hacks (and Google 'dorks') Countermeasures against targeted attacks in the enterprise Windows registry forensics guide: Investigating hacker activities More built-in Windows commands for system analysis Tracing malware's steps with RE:Trace Worst practices: Learning from bad security tips Worst practices: Encryption conniptions Stopping malware in its tracks Built-in Windows commands to determine if a system has been hacked Application Attacks (Buffer Overflows, Cross-Site Scripting) Microsoft warns of attacks against Microsoft Access zero-day flaw Tips for SQL injection protection Microsoft addresses XSS in Internet Explorer Internet Explorer open to spoofing, scripting attacks Software still plagued with security holes, researcher says Microsoft tools won't be quick fix for SQL injection attacks Microsoft identifies tools to address SQL injection attacks New defenses for automated SQL injection attacks Alarming SQL injection attacks Adobe Flash Player flaw previously patched, Symantec says Application Attacks (Buffer Overflows, Cross-Site Scripting) Research IIS Security Trend Micro site compromised What server considerations should be made when setting up an internal network's private applications? IT discussion: Is malware the cause of a DNS server error? Insider's guide to IIS Web server security Microsoft July updates for critical Excel, Windows and .NET flaws What's the best way to verify client authentication across unrelated Web servers? Microsoft to release DNS patch Tuesday DNS worm strikes at Microsoft flaw How to implement IIS authentication settings How to ensure that an SSL connection protects sensitive Web data IIS Security Research RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary cache poisoning  (SearchSecurity.com) cyberterrorism  (SearchSecurity.com) dictionary attack  (SearchSecurity.com) directory harvest attack  (SearchSecurity.com) distributed denial-of-service attack  (SearchSecurity.com) JavaScript hijacking  (SearchSecurity.com) ping of death  (SearchSecurity.com) script kiddy  (SearchSecurity.com) stack smashing  (SearchSecurity.com) SYN flooding  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.