The Importance of Web Application Scanning

Organizations need a Web application scanning solution that can scan for security loopholes in Web-based applications to prevent would-be hackers from gaining unauthorized access to corporate information and data. Web applications are proving to be the weakest link in overall corporate security, even though companies have left no stone unturned in installing the better-known network security and anti-virus solutions. Quick to take advantage of this vulnerability, hackers have now begun to use Web applications as a platform for gaining access to corporate data; consequently the regular use of a web application scanner is essential.

Web Applications Are Easy to Hack

The hacker’s life has become tougher in recent days. Thanks to various intrusion detection and defense mechanisms developed by network security companies, it is no longer easy to breach security perimeters and gain unauthorized access to an organization’s network.

Today, firewalls, security scanners and antivirus software protect almost all corporate networks. Hemmed in by such constraints, hackers have been researching alternate ways to breach the security infrastructure.

Unfortunately, hackers have been successful in finding a gaping hole in the corporate security infrastructure, one of which organizations were previously unaware – Web applications. By design, Web applications are publicly available on the Internet, 24/7. This provides hackers with easy access and allows almost unlimited attempts to hack applications that have not been identified by webmasters as vulnerable through the use of a web application scanning solution.

While the adoption of Web-based technologies for conducting business has enabled organizations to connect seamlessly with suppliers, customers and other stakeholders, it has also exposed a multitude of previously unknown security risks. According to Pete Lindstrom, Director of Security Strategies with the Hurwitz Group, Web applications, when not audited regularly with the use of a web application scanner, are the most vulnerable elements of an organization’s IT infrastructure today.

What is a Web Application?

A Web application is an application that resides on a company’s Web server, which any authorized user can access over a network, such as the World Wide Web or an Intranet.

A Web application is a three-layered application. Normally, the first layer would be a Web browser, the second would be a content generation technology tool such as Java servlets or ASP (Active Server Pages), and the third layer would be the company database.

The Web browser makes the initial request to the middle layer, which, in turn, accesses the database to perform the requested task, either by retrieving information from the database, or by updating it.

Since Web applications reside on a server, they can be updated and modified at any time without any distribution or installation of software on the client’s machines – the main reason for the widespread adoption of Web applications in today’s organizations.

Examples of Web applications include shopping carts, forms, login pages, dynamic content, discussion boards and blogs.

A Shopping cart is a typical web application example

High-Profile Web Application Hacks

The gaping security loophole in Web applications is being exploited by hackers worldwide. According to a survey by the Gartner Group, almost three-fourths of all Internet assaults are targeted at Web applications.

The first reported instance of a Web application attack was perpetrated in 2000 by a 17 year-old Norwegian boy. While making online transactions with a large bank, he noticed that the URLs of the pages he was opening displayed his account number as one of the parameters. He then substituted his account number with the account numbers of random bank customers to gain access to the customers’ accounts and personal details.

On October 31, 2001, the website of Acme Art Inc. was hacked and all the credit card numbers from its online store’s database were extracted and displayed on a Usenet newsgroup. This breach was reported to the public by the media and the company lost hundreds of thousands of dollars due to orders withdrawn by wary customers. The company also lost its second phase of funding by a venture capital firm.

Similarly, the 2002 turnover report of a Swedish company was accessed prior to its scheduled publication. The perpetrator simply changed the year parameter in the URL of the previous year’s report to that of the present year to gain complete access.

In another 2002 incident, applicants to Harvard Business School accessed their admission status before the results were officially announced by manipulating the online Web application. This third-party Web application was also used by other universities. Upon receiving replies to their applications from these other schools, the applicants examined the URL of the reply and found two parameters that depicted the unique IDs of that school’s students. Then, they simply substituted the values in those two parameters in the reply URL with their Harvard IDs, which returned the desired information. This procedure, posted on a businessweek.com online forum, was subsequently employed by over a hundred students eager to know their admission status. When the authorities detected this leakage, these students were denied admission.

In June 2003, hackers detected that the Web applications of the fashion label Guess and pet supply retailer PetCo contained SQL injection vulnerabilities. As a result, the credit card information of almost half a million customers was stolen.

Website defacement is another major problem resulting from Web application attacks. Hackers have learned to modify the source code of many websites. During the 2004 Christmas holidays, the “Santy” worm entered Web application servers, defacing 40,000 websites in a single day. On November 29, 2004, SCO’s website logo was replaced by the text, “We own all your code, pay us all your money.” Similarly, on December 6, 2004, the homepage of Picasa, the picture sharing facility from Google, was hacked and replaced with a totally blank page.

Liability

Companies face a number of legal implications from Web application attacks and lax security measures. Victoria’s Secret, one of the world’s leading lingerie manufacturers, was sued in 2005 when details about individual customers’ purchases became accessible from its database. The company was directed to pay a $50,000 fine to New York State and settle all monetary claims by customers.

The same method was used in 2005 to access social security numbers and other details of a Tennessee payroll organization. The modus operandi was the same – change the value of the customer ID parameter in the URL.

In 2004, the Federal Trade Commission (FTC) filed judgments against a number of global organizations for privacy and security policy violations when it was discovered that there was a leakage of customer information from company databases caused by Web application intrusions.

For financial as well as legal reasons, it is imperative for companies to make their Web applications totally foolproof.

Hacking Web Applications: The Modus Operandi

Hackers have a wide arsenal of attack mechanisms, from which they choose the one most suited to a particular vulnerability. They use a very systematic plan of action. These steps can be classified as:

Hackers’ Favorite Web Attack Modes


Forums are often vulnerable to Cross site scripting attacks