Sometimes all malicious users do is place a script inside the username, address, or search query field on a Web page. And sometimes they get help from the sites they target. Error messages from unprotected servers can provide attackers with vital clues about the security on the back end, as well as the type of server being used, and the software running on it.
Common types of attacks include cross-site scripting (where customers are redirected to another site); buffer overflows (where rogue code can be executed on a remote server); cookie poisoning (where encrypted customer data can be altered); and parameter tampering (whereby malicious users can gain access to whole directory structures--and confidential files--on a remote system).
These attacks are a nightmare for e-commerce and financial sites, because they are often specific to the custom software running on a site--and thus require custom-made fixes that can take months to complete.
The typical security for a Web site includes a firewall between you and the server that locks down unused Internet ports. Port 80, which is used for HTTP (or Web) traffic, is not blocked, and has recently become a popular means of attacking Web sites. Internet Security Systems (ISS) reported in its Internet Risk Impact Summary that 70 percent of all Web attacks from Dec. 22, 2001, through March 21, 2002, exploited port 80. For a firewall to shut down port 80, it would also shut down all Web traffic to the site.
What we need to stop this sort of attack is a better way to screen user input on Web sites. One security company, Sanctum, thinks it has a solution.
Sanctum makes a product called AppShield, which sits behind the firewall but in front of the site's application server. Peggy Weigle, president and CEO of Sanctum, gave this analogy: "If the Internet is like an interstate highway and your application is the ultimate destination, then firewalls protect people from getting off at the wrong exit, and AppShield protects the destination itself."
For example, AppShield will parse a page of HTML code and note where a customer is expected to input 10 to 20 alphanumeric characters in each of four fields. If a customer submits symbols, rogue code, or anything other than what is expected in any of the fields, AppShield rejects the submission.
Another cool product from Sanctum is AppScan, which exposes a system's potential vulnerabilities by attacking it with thousands of scripting variations. It's like a hacker in a box. Given that some companies now perform "ethical hacks" on app servers before using them on their live Web site, AppScan could save companies money. Using AppScan's one-click security policy setting, locating new vulnerabilities is a snap. I found the interface of both products to be clean and easy to use.
AppShield has an impressive customer base, too. In the nearly three years it's been in the field, AppShield's been used by 60 Fortune 100 companies to protect their Web servers.
Are programs like AppShield the best way to protect your Web servers? Why or why not? Know of any other options? Tell us through talkback