![](../../images/whitespc.gif) |
Tech Republic
Identifying the 10 most common application-level hacker attacks
August 21, 2001
By Izhar Bar-Gad Guest Contributor
Breaches in application security don�t usually get as much publicity as e-mail
viruses such as SirCam or worms such as Code Red, but they can cause just as
many problems, ranging from theft of merchandise and information to the
complete shutdown of a Web site. Securing Web site applications is no easy task,
but unfortunately, application hacking is very simple.
A hacker typically spends a few hours getting to know the Web application
by thinking like a programmer and identifying the shortcuts he would have created,
had he built the application. Then, using nothing more than the Web browser,
the hacker attempts to interact with the application and its surrounding infrastructure
in malicious ways, causing anywhere from minor to catastrophic damage.
To prevent these problems, a company must first find its Web site�s vulnerabilities
and then close the windows of opportunities that hackers exploit. This list
explains the most common Web site weaknesses that hackers typically exploit
to conduct their attacks.
Finding the problems
As the CTO of Sanctum, I have helped companies to identify and fix application
security problems. Sanctum addresses the enormous issue of application-level
security for e-business companies by providing both security consulting services
and long-term defense technology to complement network security and authentication
tools. Our Web application security software secures and monitors Web application
behavior to ensure the program is only doing what it is intended to do.
Audits performed by Sanctum on over 100 leading Web sites simulated hacker
attacks and revealed that over 97 percent of the sites had major application-level
problems that could be exploited in only a few hours. Sanctum performed the
audits�often called �ethical hacks� because customers request and authorize
Sanctum to hack their site�by accessing a customer�s Web site just as any other
user (or hacker) would: through the browser, outside the company's firewall
and network.
Aided by Sanctum's automated Web application vulnerability assessment tool,
AppScan, the auditor crawls through the site, recognizing the site�s application
security policies, identifying known and unknown vulnerabilities specific to
the target site, and imitating a hacker to exploit the vulnerabilities and
attack the site. The success of the attacks and the severity of each vulnerability
are assessed and presented to the company with a detailed report of the findings
along with recommended fixes.
Common weak spots
Almost all of the Sanctum audits found that while Web sites were heavily secured
at the network level (i.e., firewalls and encryption), these sites still allowed
hackers to access valuable customer and corporate information, shoplift sales items,
and receive free products or services. Using the following top 10 hacking techniques,
Sanctum auditors were able to exploit common vulnerabilities and commit numerous
cybercrimes during the ethical hacks.
- Cookie poisoning�Identity theft
By manipulating the information stored in a browser cookie, hackers
assume the user�s identity and have access to that user�s information.
Many Web applications use cookies to save information (user id, timestamp, etc.)
on the client�s machine. Since cookies are not always cryptographically
secure, a hacker can modify them, thus fooling the application into changing
their values by �poisoning the cookie.� Malicious users can gain access
to accounts that are not their own and perform activities on behalf of that user.
- Hidden-field manipulation�E-shoplifting
Hackers can easily change hidden fields in a page's source code to
manipulate the price of an item. These fields are often used to save
information about the client's session, eliminating the need to maintain
a complex database on the server side. Because e-commerce applications use
hidden fields to store the prices of their merchandise, Sanctum auditors
were able to view the sites� source codes, find the hidden field, and alter
the prices. In a real-world scenario, no one would have discovered the
change and the company would have shipped the merchandise at the altered
prices and may even have sent a rebate.
- Parameter tampering�Fraud
This technique involves changing information in a site�s URL parameter.
Because many applications fail to confirm the correctness of common
gateway interface (CGI) parameters embedded inside a hyperlink, parameters
can be easily altered to, for example, allow a credit card with a $500,000
limit, skip a site login screen, and give access to alternate orders and
customer information.
- Buffer overflow�Closure of business
By exploiting a flaw in a form to overload a server with excess information,
hackers can often cause the server to crash and shut down the Web site.
- Cross-site scripting�Hijacking/Breach of Trust
When hackers inject malicious code into a site, the false scripts
are executed in a context that appears to have originated from the targeted
site, giving attackers full access to the document retrieved and maybe
even sending data contained in the page back to the attacker.
- Backdoor and debug options�Trespassing
Often, programmers will leave in debug options to test the site before
it goes live. Sometimes, in haste, they forget to close the holes, giving
hackers free access to sensitive information.
- Forceful browsing�Breaking and entering
By subverting the application flow, hackers access information and parts
of the application that should normally be inaccessible, such as log files,
administration facilities, and application source code.
- Stealth commanding�Concealing a weapon
Hackers often conceal dangerous commands viaa "Trojan horse," with the intent
to run malicious or unauthorized code that is damaging to the site.
- Third-party misconfiguration�Debilitating a site
Since vulnerabilities are posted and patches made available on public Web
sites (such as Securityfocus), hackers are alerted to new vulnerabilities
as they arise. For example, through a configuration error, a hacker could
create a new database that renders the existing one unusable by the site.
- Known vulnerabilities�Taking control of the site
Some technologies used in sites have inherent weaknesses that a persistent
hacker can exploit. For example, Microsoft Active Server Page (ASP) technology
can be exploited to gain the administrators� passwords and take control
of the entire site.
Preventing these attacks
The continuous cycle of auditing applications and trying to keep up with the
latest patches is a constant battle against hackers who are armed with automated
tools to scout out the newest vulnerabilities. While virtually all sites today
attempt to achieve application-level security manually and ultimately fail, new
automated tools have recently become available that allow auditors, developers,
and QA professionals to perform vulnerability assessments and ethical hacks that
catch the vulnerabilities before the hackers do. Sanctum offers several of these
products, including AppShield, which detects application manipulation through
the browser, and AppScan, which automates the complex task of auditing Web
applications.Sanctum also provides AppAudits for companies who want to identify
the vulnerabilities of their Web sites.
Izhar Bar-Gad is the CTO of Sanctum. Before joining the Sanctum team,
he was a project leader for Amdocs in Israel for both the infrastructure
and advanced research groups. During his military service in the Israeli
Defense Forces, Bar-Gad was part of a special Internet security
defense unit and led the development of a large software project
involving communications and information security.
|