Manage Learn to apply best practices and optimize your operations.

Finding and blocking Web application server attack vectors

Web application server attacks are nothing new, but attackers are coming up with creative new ways to penetrate them. Information security expert Peter Giannoulis examines how data-hungry attackers are using Web application servers to crack into back-end databases, and offers advice on what can be done to protect Web infrastructures.

Malicious malware has been a problem as far back as any of us can remember. As seen with the latest Storm Trojan, this trend does not seem to be slowing down. Yet the malware problem could soon be dwarfed by the growing wave of attackers stealing mountains of confidential information by exploiting vulnerable Web application servers.

Listen to this Threat Monitor tip

Download Peter Giannoulis' Web application server advice to your PC or favorite MP3 player.
Why are Web application servers targets for attack? They are publicly accessible and tie into back-end database servers, which store a gold mine of information for criminals. How are attackers' cracking into back-end database servers using front-end Web applications? Here are a few of the most popular methods.

SQL injection
SQL injection attacks are becoming a popular vector for stealing confidential information on the Internet. An SQL injection involves an attacker inputting a SQL query in a search field of a Web form. If the query is accepted by the Web application, it's passed to the back-end database where it's executed, if read/write access is granted from the Web application to the database server. This could result in two scenarios; the attacker viewing the contents of the database, or deleting the contents of the database. Neither instance is good.

Contrary to popular belief, SQL injection attacks do not require advanced knowledge. In essence, these attacks can be performed by anybody with a basic understanding of SQL and a list of queries that are available on the Internet.

For more information

Ensure that your personal information is being protected while using a Secure SSL connection.

For more information about Web server security, visit's Web server security resource center.

In's Intrusion Defense School, learn about your organization's vulnerability to viruses, attacks and other threats.
Blind SQL injection
Blind SQL injection is another method of launching attacks, but with a slightly different approach. When performing a standard SQL injection, an attacker inserts a SQL query into a Web application, hoping it will cause the server to return an error message. These error messages can grant the attacker the necessary knowledge needed to perform a more precise attack. Database administrators have been led to believe that sanitizing error messages would correct the underlying issue that caused SQL injection. What administrators have failed to realize is that although this conceals the error message, the vulnerability still exists. It's a tad tougher for the attacker, but instead of using error messages to gather information, the attacker flies blind and sends crafted SQL queries to the server, hoping to gain access to the database.

Cross-site scripting
Cross-site scripting, otherwise known as XSS or CSS, is a technique used by malicious hackers to compromise vulnerabilities in a Web application that serves dynamic Web pages. Many of today's Web sites are serving up dynamic pages that consist of information from multiple sources built "on-the-fly" for the user. If the webmaster is not careful, malicious content can be injected into the Web page to gather confidential material or simply execute on users' systems.

There are many countermeasures for thwarting Web application server attacks. Awareness is definitely among the most important. Many organizations are focusing on the preventative measures that need to be applied without trying to learn how these attacks are performed. Not understanding how Web application server attacks work makes countermeasures ineffective, and simply tossing firewalls and intrusion prevention systems at the problem won't help. For instance, if your Web application server is not filtering user input, you can easily be subjected to the types of attacks mentioned above.

Another key to staying ahead of attackers is to conduct a thorough audit of your Web applications on a regular basis. Johannes Ullrich wrote a great article on how to audit your Web application over lunch using some simple techniques and Firefox plug-ins.

About the author
Peter Giannoulis, GSEC, GCIH, GCIA, GCFA, CISSP, is an information security consultant for Access 2 Networks, a Toronto, Ontario based security consulting firm. He also serves as a technical director for GIAC.

This was last published in June 2007

Dig Deeper on Application attacks (buffer overflows, cross-site scripting)

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.