Web Application Security

Web Application Security

Posted in Technopedia, Application Security

Web application security is a branch of Information Security that deals specifically with security of websites and web applications.

At a high level, Web application security draws on the principles of Application Security but applies them specifically to Internet and Web systems. Typically web applications are developed using programming languages such as PHP, J2EE, Java, ASP.NET, C#, VB.NET or Classic ASP.

Security Threats

With the emergence of Web 2.0, increased information sharing through Social Networking and increasing business adoption of the Web as a means of doing business and delivering service, websites are often attacked directly. Hackers either seek to compromise the corporate network or the end-users accessing the website by subjecting them to Drive-by downloading.

As a result, industry is paying increased attention to the security of the web applications themselves in addition to the security of the underlying computer network and operating systems.

The majority of web application attacks occur through Cross Site Scripting and SQL Injection attacks which typically result from flawed coding, and failure to sanitize input to and output from the web application. These are ranked in the 2009 CWE/SANS Top 25 Most Dangerous Programming Errors.

Web Application Security Standards

OWASP is the emerging standards body for Web application security. In particular they have published the OWASP Top 10 which describes in detail the major threats against web applications. The Web Application Security Consortium (WASC) has created the Web Hacking Incident Database and also produced open source best practice documents on Web application security.

Web Application Security Technology

While security is fundamentally based on people and processes, there are a number of technical solutions to consider when designing, building and testing secure web applications. At a high level, these solutions include:

• Black Box testing tools such as web application scanners, vulnerability scanners and penetration testing software
• White Box testing tools such as static source code analyzers
• Fuzzing Tools used for input testing
• Web Application Firewalls(WAF) used to provide firewall-type protection at the web application layer
• Password cracking tools for testing password strength and implementation

---

The web-based application security assessment process

The process of assessing the security of a web-based application, although not technically complex, often relies upon a multi-facetted approach utilising a variety of technologies and techniques. Unfortunately, there is currently no quick shrink-wrapped solution available to automatically and comprehensively assess an application's security. Various vendors can supply testing products that will search for the most basic faults in non-complex applications/environments and provide advice on better coding practices. Based upon experience in assessing critical Web-enabled applications, automated tools should only be used for first-round security testing and preliminary identification of potential flaws.

Depending on your specific requirements and the type of web-based application, an application security assessment should typically consist of the following phases:

• Examination of external/client-side visible code for information that could be used for social engineering purposes or for information on how an application functions that might be used for a more focused attack.
• Discovery of information on the type of environment that exists at the server side (eg, embedded SQL queries specific to a single database version).
• Inspection of application validation and bounds checking both for accidental and mischievous input. The purpose of this exercise is to ascertain the limits of correct server responses when handling unexpected data formats or sizes. This phase involves buffer overflow attempts to establish system resilience and performance continuity.
• Manipulation of client-side code and locally stored information such as cookies and session information. Client-side code is altered to subvert authentication checking and used to establish the bounds of server reliance on client data fields. URL request information and GET/PUT requests are altered to achieve unexpected system responses and access confidential information.
• Examination of application-to-application interaction between system components such as the Web service and back-end data sources. Attempts are made to reference system components by impersonating other system functions or sources. Redirection methods and messaging functions are closely examined.
• Discovery of techniques that could be employed by attackers to escalate their permissions by referencing application components with higher server-side permissions, or exploitation of race conditions to identify lax permission or authentication checking.
• Attempts to subvert in-transit data between the client and server system. Examination of data delivery methods and the likelihood of their subversion or use in a replay-type attack, or other session orientated attacks, including an analysis of system responses to such data.
• Authentication methods in use are examined for their robustness and resilience to various subversion techniques. Attempts are made to bypass authentication processes and/or impersonate valid logged-in users. Detailed studies of user segregation methods are undertaken and an analysis of server-side responses to failed attempts is made.
• Overall examination of the application's deployment and security configuration from perceived threat models. Advice is given on secure deployment methodologies for the application type, based upon market considerations, new vulnerability developments and attack methodologies.