5 Threats that make your Website Vulnerable
- Date: 2006-08-21 - Word Count: 910
Share This!
Webmaster dilemma : having to choose between "easy and quick developments" and security ?
« 75% of malicious attacks on the web take place on the application layer (Gartner) »
«... The evolution of web applications has been characterized by a relatively immature level of security awareness ... (Deloitte and Touche) »
Websites create value. Whether you are an e-merchant, an administration or a car manufacturer, your core values (accounting, supply chain, customer data, business info, …) are processed, stored and communicated via your internet applications and more generally thanks to your IT system. Web applications include of course web sites as well as business and logic internal applications, intranets, extranets, portals … It is a fact : more and more companies and administrations tend to 'webize' their IT infrastructure.
But there are counterparts : being open brings dangers and threats that are often underestimated …
Web protocols are not secure
«More than 80% of all malware that emerged in the past year focus on application-level vulnerabilities (various sources, 2006). »
« In June 2006, 92 SQL injection and 34 cross-site scripting (XSS) new vulnerabilities were recorded on our database (Secunia) »
These real threats result in : private data theft, illegal use of your website (for instance to host forbidden contents or spam relays), website defacement, e-commerce website abuse, unavailability, …
Major threats include :
· Cross-site scripting (XSS) - arbitrary code injection in scripts
· SQL injection - reading or modifying databases
· Command injection - unauthorized command execution
· Parameter/form tampering - sending false arguments to the application
· Cookie/header tampering - HTTP fields use to send false values to the web server
· Buffer overflow - overflowing buffer memory
· Directory traversal/forceful browsing - access outside the application
· 'Attack obfuscation' - attack masquerading, for instance via URL encoding
Very well known security principles are confidentiality, availability, integrity and auditability. HTTP and HTTPS protocols give poor result on these aspects. Web protocols hardly authenticate, only partly guarantee confidentiality and integrity, … And malicious SSL traffic will remain illegitimate when processed by your website !
Keep in mind that an URL sent by a browser is a command line to your web server : for instance an URL generating an SQL command or activating a CGI script.
At last, web protocols do not impose input validation, this is the major cause of their 'insecurity' !
Coding secure web applications is a hard work
« For far too many development professionals, Web application security only consists of producing applications that are functional and stable, not building hacker protection into the code or checking for SQL injection vulnerabilities (Spi Dynamics) »
Web protocols are not secure by default. But web application developers could strongly improve security standards with good coding principles. As M. Andrews and J. Whittaker mention in their Guide to Web Application Security : "If developers only validated their inputs to what they are expecting to be given, rather than attempting to filter for malicious inputs (if at all), then 80-90% of web application vulnerabilities would go away. SQL Injection -- gone, XSS -- gone, parameter tampering -- gone."
Unfortunately, from a software vendor's perspective : launching a new product on time is more important than launching a secure(d) software !
The limits of traditional tools
«According to CSI/FBI 2006 study :
97% of interviewed companies and administrations were using an antivirus, 98% have a network firewall, 69% have intrusion detection systems. However ... 65% of these organisations have undergone a viral or spyware attack, 32% have experienced unauthorized access to their internal data and even 15% have suffered from network intrusions ... »
Network security is not web application security !
The perimeter network firewall can not block all flows and attacks. Indeed, it usually lets http flows (ports 80 and 443) come into company's networks as it is usually needed for communication with outside world. As this specific port is open, more and more applications are using this open door, for instance, VoIP as well as peer to peer. This http port becomes a real toll-free motorway to penetrate internal network. More and more applications (including suspicious ones) are encapsulated into http traffic. This is the "everything over HTTP" phenomenon !
Comprehensive IT security requires a layered approach
«Two very old adages in security are "least privileges" and "defense in depth." The idea is to only give software enough privileges to get the job done, and not to rely on only one security mechanism. M. Andrews and J. Whittaker, Guide to Web Application Security »
Although security tools have their limits, they are usually necessary to make IT security infrastructure stronger.
Security experts refer to IT security infrastructure as "rings of protections". Two very well known and common tools are antivirus and network firewalls. As regards with web security, we have seen that web traffic penetrates IT systems with no real opposition. That is why web application firewalls become indispensable. A web application and a web site need its 'bodyguard', as web technologies become increasingly critical and exposed in modern IT infrastructures ! In late 2004, a Red Herring journalist mentioned : "Web-app security will be just like anti-virus was 10 years ago. In five years, it will be a must-have.".
Conclusion : web application firewalls act when conventional tools show their limits
Web application firewalls are an important building block in every HTTP network. First of all, they protect the most exposed part of your IT assets : the website. Web applications need their [intelligent and self-learning] bodyguard. When we say bodyguard, we mean a solution which 'understands' the application, taking into account its behavior, which is close to it (ie directly on the web server) and can ACT immediately and consequently (counter-measure). At the same time, it has to be discrete and stick to business logic. It is the "last rampart", the ultimate protection !
« 75% of malicious attacks on the web take place on the application layer (Gartner) »
«... The evolution of web applications has been characterized by a relatively immature level of security awareness ... (Deloitte and Touche) »
Websites create value. Whether you are an e-merchant, an administration or a car manufacturer, your core values (accounting, supply chain, customer data, business info, …) are processed, stored and communicated via your internet applications and more generally thanks to your IT system. Web applications include of course web sites as well as business and logic internal applications, intranets, extranets, portals … It is a fact : more and more companies and administrations tend to 'webize' their IT infrastructure.
But there are counterparts : being open brings dangers and threats that are often underestimated …
Web protocols are not secure
«More than 80% of all malware that emerged in the past year focus on application-level vulnerabilities (various sources, 2006). »
« In June 2006, 92 SQL injection and 34 cross-site scripting (XSS) new vulnerabilities were recorded on our database (Secunia) »
These real threats result in : private data theft, illegal use of your website (for instance to host forbidden contents or spam relays), website defacement, e-commerce website abuse, unavailability, …
Major threats include :
· Cross-site scripting (XSS) - arbitrary code injection in scripts
· SQL injection - reading or modifying databases
· Command injection - unauthorized command execution
· Parameter/form tampering - sending false arguments to the application
· Cookie/header tampering - HTTP fields use to send false values to the web server
· Buffer overflow - overflowing buffer memory
· Directory traversal/forceful browsing - access outside the application
· 'Attack obfuscation' - attack masquerading, for instance via URL encoding
Very well known security principles are confidentiality, availability, integrity and auditability. HTTP and HTTPS protocols give poor result on these aspects. Web protocols hardly authenticate, only partly guarantee confidentiality and integrity, … And malicious SSL traffic will remain illegitimate when processed by your website !
Keep in mind that an URL sent by a browser is a command line to your web server : for instance an URL generating an SQL command or activating a CGI script.
At last, web protocols do not impose input validation, this is the major cause of their 'insecurity' !
Coding secure web applications is a hard work
« For far too many development professionals, Web application security only consists of producing applications that are functional and stable, not building hacker protection into the code or checking for SQL injection vulnerabilities (Spi Dynamics) »
Web protocols are not secure by default. But web application developers could strongly improve security standards with good coding principles. As M. Andrews and J. Whittaker mention in their Guide to Web Application Security : "If developers only validated their inputs to what they are expecting to be given, rather than attempting to filter for malicious inputs (if at all), then 80-90% of web application vulnerabilities would go away. SQL Injection -- gone, XSS -- gone, parameter tampering -- gone."
Unfortunately, from a software vendor's perspective : launching a new product on time is more important than launching a secure(d) software !
The limits of traditional tools
«According to CSI/FBI 2006 study :
97% of interviewed companies and administrations were using an antivirus, 98% have a network firewall, 69% have intrusion detection systems. However ... 65% of these organisations have undergone a viral or spyware attack, 32% have experienced unauthorized access to their internal data and even 15% have suffered from network intrusions ... »
Network security is not web application security !
The perimeter network firewall can not block all flows and attacks. Indeed, it usually lets http flows (ports 80 and 443) come into company's networks as it is usually needed for communication with outside world. As this specific port is open, more and more applications are using this open door, for instance, VoIP as well as peer to peer. This http port becomes a real toll-free motorway to penetrate internal network. More and more applications (including suspicious ones) are encapsulated into http traffic. This is the "everything over HTTP" phenomenon !
Comprehensive IT security requires a layered approach
«Two very old adages in security are "least privileges" and "defense in depth." The idea is to only give software enough privileges to get the job done, and not to rely on only one security mechanism. M. Andrews and J. Whittaker, Guide to Web Application Security »
Although security tools have their limits, they are usually necessary to make IT security infrastructure stronger.
Security experts refer to IT security infrastructure as "rings of protections". Two very well known and common tools are antivirus and network firewalls. As regards with web security, we have seen that web traffic penetrates IT systems with no real opposition. That is why web application firewalls become indispensable. A web application and a web site need its 'bodyguard', as web technologies become increasingly critical and exposed in modern IT infrastructures ! In late 2004, a Red Herring journalist mentioned : "Web-app security will be just like anti-virus was 10 years ago. In five years, it will be a must-have.".
Conclusion : web application firewalls act when conventional tools show their limits
Web application firewalls are an important building block in every HTTP network. First of all, they protect the most exposed part of your IT assets : the website. Web applications need their [intelligent and self-learning] bodyguard. When we say bodyguard, we mean a solution which 'understands' the application, taking into account its behavior, which is close to it (ie directly on the web server) and can ACT immediately and consequently (counter-measure). At the same time, it has to be discrete and stick to business logic. It is the "last rampart", the ultimate protection !
Related Tags: website, protection, security, webmaster, linux, sql injection, apache, web server, web attack, xss
Your Article Search Directory : Find in Articles
Recent articles in this category:
- How to Capitalize on Free Content From Podcasts
One of the major challenges for every website owner is generating compelling content that will - Looking for a Niche? 40 Keyword Suggestions
One of the most important steps foraffiliate marketing and Internet marketing is finding a go - 5 Benefits Of Having Your Own Home Business
There is no secret to why millions of people are flocking to the internet to start their own h - Optimized Articles Drive Traffic to Websites
Benefits of SEO ArticlesSEO Articles can help move websites up in the search engines and are o - Why You Should Be Using an Online Backup Service
Online BackupOnline backup services are relatively new but they are gaining popularity at the - FREEDOM1-PACKAGE.COM/ YOUR TOP MONEY ONLINE BUSINESSES Presents:
FREEDOM1-PACKAGE.COM/ YOUR TOP MONEY ONLINE BUSINESSES!Presents:Evaluating Your Website Traffi - 3 Bonuses To Success University's Already Stellar Program
It is not very often that you will come across a program to the likes of Success University. - How to Optimize Your Website For Better Visitor Experience and More Traffic
This article describes in simple terms, practical and effective tactics used to optimize your - Do You Like Being On Top? A Global Domains International Position.
If you like to be on top then you are just like millions of other web site owners trying to po - Internet Marketer's Dream: 8 Productivity Tips for Firefox Browser Users
Here are 8 productivity tips specifically for Mozilla Firefox users:1) SearchStatus. Set your
Most viewed articles in this category:
- The Webmaster's Assistant
There are many tools available to a webmaster to analyse website traffic allowing them to monitor th - Free Webmaster Resources
The overall importance of Quality Web Development or Web Design Tools is a factor among webmast - 6 Steps to a More Successful Website in 2006
Another year has passed and a new one has dawned. It's an exciting time to have an online business. - Web Analytics - Getting It Right
Understanding and using web analytics.In recent years, website marketers were concerned with increas - Webmaster Staff Leasing
Some of you might be wondering what webmaster staffing means? So just to make it clear for everyone - Want Your Website Visitors to Return?
If your like me you have searched on every search engine any possible way to advertise your website. - 4 Nearly FREE Ways for a Web Designer to Establish a Local Presence
Everyone seems to be a web designer these days. From your uncle’s neighbor’s nephe - HTML Editors
If you're the typical non professional user then you are probably familiar with the more popular one - Easy Content Management with Server Side Includes (part 1)
I honestly see very few websites that can really say they don’t need some sort of Content Mana - Reasons why you should have a Weblogger installed on your web site.
Radhika Venkata (c).I don't know about you, but when I built my first web site threeyears back I don