Web Applications are back in vogue – to hackers’ delight!
Dublin, Ireland, Wednesday 15 February, 2006…The expansion of the Web has provided Irish organisations with an ideal platform for introducing and promoting their products and services on a worldwide scale. Interactive web applications are to be found far and wide. The prudence with which many once approached their implementation seems a distant memory. Caution has been thrown to the wind, and it seems the world and its mother is booking holidays on the web, downloading music, joining online ‘communities’, blogging, and all the rest. And who can blame them?
Organisations are basing future business strategies on their web presence. Look at the financial services sector, consider the travel industry, and online gambling is now a multi-billion euro success story. It seems everyone is in on the act.
“However,” says Colm Murphy, technical director of Espion and co-founder of the Irish Honeynet, “and I use that word with a slight grimace not wanting to dampen the recent show of optimism, with the growing functional demands for commercial websites that are rich in content and constantly seeking to add variety and new services, there are bound to be problems. The pace of new development in this medium has driven organisations to recruit information specialists who often, but by no means always, have little knowledge, and even less experience of my pet subject – security.
“Interactive web applications are a hacker’s playground. The Irish Honeynet has recorded that nearly a quarter of all attacks are targeted at web servers. The range of possibilities now open to hackers is expanding to the point that certain business fundamentals, in particular confidentiality and integrity, are being challenged. This article is an attempt to highlight some of the common ways in which hackers attempt to exploit web applications, and outlines some simple technical steps to keep your e-business strategy alive and well,” he advises.
Never Trust the User
If you are the type, no more than myself, to skim an article for the key points and move on, well listen here. Never, never ever, trust user input. Trusting the user is equivalent to buying a ‘leather’ jacket down a dark alleyway in the middle of the night. You are going to get stung! Most security vulnerabilities revolve around the attacker providing malformed data to the server machine. Trusting that input is well formed can lead to buffer overruns, cross-site scripting attacks, SQL injection attacks, and much, much more. If the application has a field that allows a four-digit pin number to be entered, only accept four digits, 0 to 9. Nothing else.
Buffer Overruns Run Riot
A buffer overrun occurs when the data provided by the attacker is bigger than what the application expects, and overflows into internal memory space. Buffer overruns are primarily a C/C++ issue, and they make up an enormous number of the vulnerabilities announced each week. An overflow will generally cause corruption of other data structures in memory, and this corruption can often lead to the attacker running malicious code.
Handling Errors Economically
Hackers thrive on information. They love to know what web server you are running, what version, and at what patch level. They want to know the operating system version. The more they know about your system, its infrastructure and its environment, the easier it is to exploit. Verbose error messages are one way of revealing far more information than is necessary.
Such flaws constitute the least of the problems that one might encounter, but their consequences can become serious. An error message often returns more information to the hacker than is appropriate. The hacker can then use that information as a basis to discover other, potentially more severe, problems.
Flaws of this type include directory displays (within an error returned on a page, for example), and errors returned by a script (which help the hacker to understand how the targeted script functions). This category also includes certain Web server configuration errors, such as access to certain site directory listings (which reveal a great deal of information and which also allow sensitive files to be downloaded directly).
One way to deal with this kind of problem is to produce a generic error page that gets displayed for every single error produced. This helps keeps secret information secret.
The Irish Honeynet is in operation since April 2002. It was set up by Espion and is currently used as a research ground by Dublin City University. It is designed to mimic the Internet infrastructures commonly used by organisations, but it is ‘wired’ with detection sensors that capture all activity to and from the system. The Honeynet is not advertised in any way so any traffic to it from the Internet is suspicious by nature, as it arises from hackers and crackers who are deliberately attempting to identify and attack systems that are vulnerable.