Looking at Web code itself, there are several ways hackers can manipulate the URL of a website to perform SQL injection, directory traversals, buffer overflows, etc. There are two common methods to defend against these types of vulnerabilities. One is to have your Web code reviewed by a person or a tool in an effort to identify and correct vulnerabilities. Or you can install an application firewall that examines user input to verify
If you use a website to sell products or provide financial services, it is of utmost importance to check the data being submitted to the server that processes the online order. If your security simply relies on the price or account information shown to the user on the webpage, this can be manipulated easily using free proxy tools running on an attacker's PC. Such tools allow the attacker to change the information being submitted to your server, removing all restrictions enforced by the webpage itself. A $50 book could be changed to $1, and a bank account number could be changed to someone else's in an effort to transfer funds or show balances of other accounts.
Depending on how you handle information submitted by end users, you'll likely have some way of validating end-user information. For instance, most programs can be written to check the submitted data for inappropriate characters and length before the data is processed. This validation should be performed on the back-end instead of putting constraints on a webpage's input fields, which can be bypassed using the proxy tools mentioned above.
Web servers are the number one way into a company's network from the outside. By securing Web servers enforcing adequate Web server protection, you'll be addressing one of the riskiest areas of your network and preventing a potentially extremely harmful attack.
About the author
Vernon Haberstetzer, president of security seminar and consulting company i.e.security, has seven years of in-the-trenches security experience in healthcare and retail environments.
HACKER ATTACK TECHNIQUES AND TACTICS
Introduction: Hacker attack tactics
How to stop hacker theft
Hacker system fingerprinting, probing
Using network intrusion detection tools
Authentication system security weaknesses
Improve your access request process
Social engineering hacker attack tactics
Secure remote access points
Securing your Web sever
Wireless security basics
How to tell if you've been hacked
This was first published in March 2005