Web apps pose security threat

Even if your network is not totally secure, you probably thought you had defenses in all the right places. Think again.

The next wave of hacking schemes focuses on a vulnerable and extremely difficult area to defend: Web applications.

Such application-level hacks differ from typical brute-force attacks such as distributed denial of service or other break-ins in that they can come from any online user, even authenticated customers at online banks or stores. And the area has been largely neglected as companies scramble to protect their networks with firewall, intrusion detection and anti-virus software.

"A lot of people are still struggling with network security, so they haven't gotten to this yet," said Mike Serbinis, chief security officer at Critical Path Inc., a San Francisco-based provider of hosted messaging services. "Application-level hacks are difficult because you're dealing with a lot of intricate detail, but most [sites] aren't at a point where their security can handle them."

Application hacks take advantage of vulnerabilities that normally occur in many HTML pages. A person hacking into a Web page could, for example, edit Web site parameters within a URL field and adjust a price. In addition, the URL field is often open to other such "forced browsing" attempts and can provide access to Common Gateway Interface, Visual Basic or Java scripts and, by extension, the Web server. The problem is that once a user is assumed to be authenticated and has reached this area of a Web site, there is little that can be done to prevent him or her from doing damage.

"Most of the successful attacks are application attacks because most of the important data is stored in those systems," said Alan Paller, director of research at the SANS Institute, in Bethesda, Md. "Applications never had a very big face to the outside world, and the OS had all of those ports you could try. So, it was just convenience that most of the attacks in the past were on the OS. If you want the customer log or the credit card data, you're going through the application."

The Computer Security Institute, of San Francisco, surveys different types of hacks and their targets. Its latest figures report that 59 percent of corporate respondents cited their Internet connection as the frequent point of attack, while 38 percent cited their internal systems.

Some executives fear application hacks originate from employees themselves. "It's very easy to shield a single point of access," said Kevin Dunn, CIO and chief technology officer of EdExpress Inc., a Dallas company that helps parents save for college. "But once you have someone inside the network, it's tough to give them enough access to do their jobs but not be able to cause trouble." Add to that the hundreds or thousands of partners and trusted outsiders who are routinely given access to a company's Web-based applications, e-businesses have a potential disaster that traditional intrusion detection systems and firewalls aren't designed to handle.

"Application security has been ignored by firewall manufacturers because it's difficult," said Nir Zuk, CTO of OneSecure Inc., a Denver-based managed security provider. "A lot of these sites think that because their sites were written in Java, which is a pretty secure language, they're safe. But firewalls and intrusion detection systems aren't the right solution for application security."

There is hope for Web application developers and managers who want to plug the holes before they are exposed.

Sanctum Inc., a Santa Clara, Calif., startup formed by one-time security experts in the Israeli Defense Forces, has engineered a software solution that's designed to defend against application hacks, as opposed to network hacks.

The company's AppScan product audits a site, checking all pages, links and scripts against a knowledge base of known vulnerabilities. The software then simulates the attack and rates the likelihood of the application's being vulnerable to hackers. AppScan 2.0, due early next month, adds a feature that automates the process.

Sanctum sells AppScan to enterprises starting at about $20,000 per year per user, as well as to security service providers and auditors, who can use the tool to augment other scanning techniques. AppScan customer Yahoo Inc. uses the product in its development process, checking for holes as an application is created and making sure it's solid before it goes live.

"In general, application security is something that is going to become more of an issue as time goes by because in the rush to market, sites only concentrate on whether a site works or not," said Arturo Bejar, a technical specialist for the Santa Clara portal. "It's not about if a security hole is used, but can it be used? [AppScan] helps identify those things in a more automated way, and before, it was by hand."

Types of Web application hacks

Hidden manipulation

Parameter tampering

Cookie poisoning

Stealth commanding

Forceful browsing

Backdoors and debug options

Third-party misconfiguration

Cross-site scripting

Buffer overflow

Published vulnerabilities

Source: Sanctum