Are your Web Applications Vulnerable to Enterprise Security Attacks?

[Maria Todd]

Vulnerabilities in web applications are now the largest vector of enterprise security attacks. Last year, almost 55% of vulnerability disclosures affected web applications.1 At year end, 74% of web application vulnerabilities had no available patch for remediation, according to that report. Stories about exploits that compromise sensitive data frequently mention culprits such as “cross-site scripting,” “SQL injection,” and “buffer overflow.” Vulnerabilities like these fall often outside the traditional expertise of network security managers. The relative obscurity of web application vulnerabilities thus makes them useful for attacks for medical tourism businesses.

As many organizations have discovered, these attacks will evade traditional enterprise network defenses unless you take new precautions. In the past, we've experienced these hacks on our Mercury Health Travel site. While it didn't compromise patient data security, it was unnerving just the same. Attacks on vulnerabilities in web applications began appearing almost from the beginning of the World Wide Web, in the mid-1990s. Attacks are usually based on fault injection, which exploits vulnerabilities in a web application’s syntax and semantics. Using a standard browser and basic knowledge of HTTP and HTML, an attacker attempts a particular exploit by automatically varying a Uniform Resource Indicator (URI) link, which in turn could trigger an exploit such as SQL injection or cross-site scripting.

http://example/foo.cgi?a=1

http://example/foo.cgi?a=1’ < SQL Injection

http://example/foo.cgi?a=<script> … < Cross-site Scripting (XSS)

Some attacks attempt to alter logical workflow. Attackers also execute these by automatically varying a URI.

http://example/foo.cgi?admin=false

http://example/foo.cgi?admin=true < Increase privileges

A significant number of attacks exploit vulnerabilities in syntax and semantics. You can discover many of these vulnerabilities with an automated scanning tool. Logical vulnerabilities are very difficult to test with a scanning tool; these require manual inspection of web application source code analysis and security testing.

Web application security vulnerabilities usually stem from programming errors with a web application programming language (e.g., Java, .NET, PHP, Python, Perl, and Ruby), a code library, design pattern, or architecture.

Web applications may have any of two dozen types of vulnerabilities. Security consultants who do penetration testing may focus on finding top vulnerabilities, such as those in a list published by the Open Web Application Security Project (www.owasp.org). Other efforts to systematically organize web application vulnerabilities include six categories published by the Web Application Security Consortium (www.webappsec.org). The OWASP Top 10 is a good starting list of major vulnerabilities, but an enterprise class solution shouldn’t limit itself to just one list or category of vulnerabilities. An enterprise solution should also be capable of scanning multiple applications, tracking results over time, providing robust reporting (especially compliance reports), and providing reports customized for local requirements. The following descriptions of web vulnerabilities are modeled on the WASC schema.

Authentication – stealing user account identities

• Brute Force attack automates a process of trial and error to guess a person’s username, password, credit-card number or cryptographic key.
  
• Insufficient Authentication permits an attacker to access sensitive content or functionality without proper authentication.
  
• Weak Password Recovery Validation permits an attacker to illegally obtain, change or recover another user’s password.
  

Authorization – illegal access to applications

• Credential / Session Prediction is a method of hijacking or impersonating a user.
  
• Insufficient Authorization permits access to sensitive content or functionality that should require more access control restrictions.
  
• Insufficient Session Expiration permits an attacker to reuse old session credentials or session IDs for authorization.
  
• Session Fixation attacks force a user’s session ID to an explicit value.
  

We found great assistance with QualysGuard Web Application Scanning solution – a new on demand service from Qualys that automates detection of the most prevalent vulnerabilities in custom web applications.  Have any of you started using other tools? If so, what was your experience as to its effectiveness?