This week Gunter Ollmann, principal security assessment consultant with Internet Security Systems, asks: "You think it's only Microsoft that develops insecure software? Think your in-house applications are safer? Think again. Your security vulnerabilities may start out closer to home than you thought." Web-based applications are as often as not subject to design compromises. To make the best use of client-side internet bandwidth and to deal with high volumes of simultaneous connections and data requests, for example, web-based applications tend to be split over multiple servers using a tiered architecture model.
Moreover, they frequently rely on client-side code to deliver and present data.
These design considerations, coupled with the use of scripting-type development languages and constant changes in authentication and certification procedures, frequently lead to security flaws in an application's implementation.
Increasingly, internet-based attacks exploit these security flaws to compromise sites and gain access to critical systems.
Direct attacks against custom web applications through manipulation of their inherent vulnerabilities have become more popular due to their relative ease and the scope they offer for maintaining anonymity.
Although companies can install various mechanisms to strengthen security - firewalls, intrusion detection systems, operating system hardening procedures, etc - they seldom expend much effort in securing and verifying the integrity of applications and coded pages against external attacks.
Consider how faulty application processes and input manipulation have led directly to the loss of confidential data such as banking details and credit card numbers.
Hackers who are customers of online banking services have the option in some cases of simply altering a digit in the cookie containing their own account information to gain access to others' accounts and acquire their privileges.
In other cases, the same effect can be achieved by changing details in the long string of characters in the URLs that give users access to their accounts.
Another favourite application-hacking method is to manipulate the hidden fields in online forms. Lowering prices or increasing discount levels held in hidden fields in some online shopping carts is an increasingly popular way to acquire high-ticket goods much more cheaply.
Of the numerous methods used to attack web-based applications, four types stand out:
1. Buffer overflow attacks These are aimed at application components that take data as an input and pass it to memory buffers for later use and manipulation.
Failure to adequately check the size of data before passing it into too small a buffer is commonplace. Attackers may be able to include their own embedded commands within the oversized data package, and thus have their commands replace existing application code and execute on the system.
2. Race conditions Under certain circumstances, when an application requires access to specific files, variables or data, its programmers may not have correctly implemented multiple simultaneous accesses and installed the appropriate checks.
This can often lead to an attacker enjoying unintended access to files or data through trusted and non-trusted server application components.
3. Exploitation of application component privileges Server-based application components run with specific group or user permissions, not necessarily with that of the user running them (such as an anonymous web user).
These application components, if they suffer additionally from buffer overflows or race conditions, can be used to increase access and escalate the potential damage to the system.
4. Client-side manipulation To speed up internet connectivity and reduce performance loads at the server end, client-side validation of input and manipulation of data is often required.
Sometimes it is a relatively trivial exercise for an attacker to bypass this checking and supply incorrect data or data formats to the server in an attempt to initiate any of the other three common attack formats, or to reveal both confidential information and server application functionality.
In almost all cases, an understanding of these manipulation techniques, combined with a rigorous client-side security testing regime, can identify potential failure points and result in a more robust application.
Ultimately, there are no substitutes for secure programming techniques to avert embarrassing and often dangerous compromises of your system or data integrity.
'We are making good progress on 10nm,' claims Intel
Engineer calculates that Chengdu's plan to replace streetlights with artificial moonlight would cost $100bn
Research could also apply to other 'space weather' events involving hot, fast-moving plasma
Dark matter holds the Universe together - and gravitational waves could help identify it