Web applications are notoriously prone to a range of vulnerabilities that attackers can easily exploit to access customer names, creditcard numbers and other sensitive data. Common attacks include SQL injection, cross-site scripting, and buffer overflows.
Even high-profile sites are not immune. Pet food firm Petco recently settled charges by the Federal Trade Commission that flaws in its website violated privacy promises it made to customers by allowing a hacker to access consumer records. Tower Records settled similar FTC charges after a redesign of its site introduced a vulnerability that allowed web browsers to see customer data.
In their rush to get applications online, developers are putting features and functions ahead of security, say experts.
"They're always under huge deadlines," says Jeff Bennett, chief executive officer at security-services firm SiegeWorks. "That's why there are so many security holes. They're rushed to get things online and they're bypassing the things they could do in order to reduce vulnerabilities."
One of the most common website flaws – and easy to exploit – is structured query language (SQL) injection. SQL injection exploits applications that use client-supplied data in SQL queries, but do not reject potentially harmful characters in the queries.
For example, an attacker can add characters to a user name field on a web form to possibly get different data from the back-end database.
"Basically, the developer isn't validating his input correctly... It's extremely dangerous and most of the hacking methods [for it] are completely automated," says Caleb Sima, CTO at security vendor SPI Dynamics. "Whether a site is coded in .Net, ColdFusion, Java and so on, all of those languages are vulnerable to SQL injection."
Another problem that routinely plagues web applications is cross-site scripting, which occurs when dynamic web pages do not validate user input. That allows an attacker to embed malicious script on the page, which is then executed on a user's machine.
Buffer overflows are also a major vulnerability and happen when too much data is input into a field.
"It has to do with the way memory is allocated in the registry of the server," explains Stern. "It's expecting a certain length. What attackers are hoping for with a buffer overflow is that it will melt down [the application] and give a command-level interface."
Jeffrey Scheidel, technical director at security vendor Kavado, describes how his seven-year-old daughter inadvertently executed a buffer overflow by accidentally hitting the six key while visiting a children's site. When she called him over to the PC, he saw that the site returned a page with a bunch of IP addresses. "I could have gone exploring if I'd wanted," he says.
Assuming another person's identity online by compromising credentials, session hijacking or cookie tampering are other common methods of attack. Server misconfiguration can also provide intruders with a means of attack.
Potential intruders constantly scour the internet to unearth web vulnerabilities, say security experts. "They have scanners... They're just sitting there looking for sites they can bust into," warns Scheidel.
Why so flawed?
While most companies have become fairly skilled at network security, attackers are bypassing traditional security measures and zeroing in on web applications as "the path of least resistance," points out Stern.
"If you talk to an application developer about their list of priorities, the first three are functionality, usability, and getting it out on time. Security is some-where down the line," he explains.
Usually, web application developers are under intense deadlines, which do not leave time for security checks. "If you've got revenue numbers you have to meet based on having an online transactional system, are you necessarily going to line-up the security people to make sure you've done all the remediation testing?" asks Scheidel.
Plus, developers often do not have the requisite security know-how. Many firms working within budget constraints hire junior programmers when a senior architect is needed, comments Paul Rohmeyer, chief executive at security-services company Icons. Outsourcing application development increases the risk of vulnerabilities, he adds.
On top of everything, web applications need to be open and accessible, which all creates "a pretty big recipe for disaster as far as security is concerned," remarks Bennett.
What to do
There are a number of steps companies can take to improve web application security, starting with the obvious: secure code development.
Validating input – ensuring a user is entering data that is consistent with what the application is expecting – will solve a lot of problems, advises Sima: "Up to 80 percent of web vulnerabilities, such as SQL injection, are due to developers not validating their input."
Many of the issues afflicting web applications are well known and fixable, says Rohmeyer. He advises clients to focus on training and refers them to resources such as the Open Web Application Security Project (OWASP) for details on the vulnerabilities and how to avoid and correct them (www.owasp.org). His firm, and other companies including SiegeWorks, offer secure coding classes.
Tools such as scanners that find flaws in web applications can also make a difference. Pentair, a Minnesota-based company with diversified operations that include water-treatment products, uses WebInspect from SPI Dynamics to identify potential issues in both the intranet and extranet websites that the company develops.
"It's been helpful to see vulnerabilities and take care of them before sites go live," he says. Pentair also uses the scanner to check the security of applications from partners and vendors – with permission from those parties.
Rohmeyer believes that web application vulnerability scanners, in general, are limited in scope. But Dan Cornell, partner at the Denim Group, which provides application development, argues that Kavado's ScanDo tool is "relentless" in searching out every possible way an application could be touched by a hostile outsider. In one case, when Denim was doing a security assessment for a bank portal application, Kavado found three obscure administrative pages that were vulnerable to SQL injection.
SPI Dynamics plans soon to release a tool specifically to help developers validate their input. Generally, though, the market for secure code tools and training is growing slowly, maintains Earl Perkins, analyst at Meta Group. "Companies don't see the pay off in that. They have issues related to speed to market," he says, adding that some are depending on web application firewalls to take care of security.
Web application firewalls sit between the web server and user and enforce policies on incoming requests to block attacks. "If I'm a corporation, I want to shut the bar door and make sure the new code I'm writing is better," says Stern. "But I also have hundreds of applications written over the past ten years, so I need something that will stop the bleeding and enforce some control."
Companies may decide to look to a firewall after weighing the time and cost involved in secure coding, he continues. "There's a sort of diminishing return on how much you can safe-guard your code."
Web application firewalls can be effective, but require a lot of maintenance, points out Bennett. And Perkins says the devices require a company to know how to set them up properly, process logs and allocate the right resources to their management.
"Choosing the right web application firewall isn't so much a technology choice, it's a matter of whether the organization is mature enough to know where and how it should be deployed and under what conditions," he asserts.
Overall, security remains a problem with web applications but "it's getting better," he says.
The trouble is – so are the hackers.