Q&A: Web application security

Robert Abela is a Technical Manager at Acunetix and in this interview he discusses Web application attack vectors, the impact of Cross-Site Scripting, future threats and offers advice on securing Web applications.

Based on your experience has the phenomenon known as Web 2.0 increased security awareness when it comes to web application security or have we seen just an influx of new attack vectors?
Although new attack vectors against web applications are frequently discovered, the same “old school” attack vectors are still the ones mostly used to hack new web 2.0 applications. Looking at OWASP top 10 web vulnerabilities of 2004 and 2007, we noticed that some of the attack vectors listed in the 2004 are listed again in the 2007 list and are more popular, such as cross site-scripting and injection flaws (e.g. sql injection). In fact, this year SQL Injection was and still is one of the major attack vectors being used in defacing web applications.

As one could have also predicted, web 2.0 web applications brought along much more new functionalities and real time interaction between the end users and the web application, and this increase in functionality automatically opened more opportunities from where malicious users can sneak in. That’s why lately we’ve seen an influx in web applications being hacked.

The end user, or web application visitor, also plays an important role in web application security. Although social network websites and other large enterprises are already trying their best to increase security awareness among their users, the internet user group is always increasing. Without generalizing, many of the new internet users are not security aware, especially if they do not work in the IT industry.

Many have probably heard the term Cross-Site Scripting (XSS). What is the real danger and the potential impact of XSS issues?
If a website is vulnerable to Cross-Site scripting, a malicious user may inject specific code into the vulnerable application which is executed automatically once the victim accesses the page where the code is injected. When crafting the attack, the malicious user is able to modify the content of the page presented to the victim so the victim is unaware that dangerous and unwanted code is being executed, and the site looks legitimate.

Once the victim accesses the vulnerable page, he submits his details he is asked for from the web application, such as passwords, e-banking details or credit card number. Once these details are submitted from the victim, thanks to the cross-site scripting attack the malicious user is able to steal the victim’s cookie. Once the cookie is stolen, the malicious user can impersonate the victim easily, i.e. by being logged in to the vulnerable site. The malicious user can do anything the victim is usually allowed to do. So if the victim is the website administrator, the malicious user can gain administrative privileges on the web application, which means full control of the web application itself. Most of the time, once a malicious user has such access, he can work his way up to take control of the whole web server if other vulnerabilities are found in the web application.

What critical steps would you recommend for securing a Web application? What’s most often completely overlooked?
Rigorous testing, testing and testing of web applications before they are exposed to the public is a must, and in many cases it is the most overlooked task. Even if a web application will be accessed solely from the company’s employees and is not going to be exposed on the internet to the generic public, they must be secure. We’ve seen numerous cases where companies suffered attacks which were launched from an internal source. It is also important to note that if a public server or web application from a corporate network is compromised, and the internal web applications are not secured properly, you’re simply making it easier for a hacker to penetrate deeper into the network. Therefore proper testing and securing of web applications is always a must.

From previous attacks we’ve also learnt that if proper input validation and error handling are implemented, you’re already saving yourself from sleepless nights. When developing our Acunetix File Upload Forms check, we’ve noticed that there are still a good number of well known web applications out there that do not have proper input validation, or even worse, no input validation at all for file upload forms.

Unfortunately many companies look at web application testing as if it is an extra cost. Though one should note that if testing of web applications is done properly, it might save the company from loss of money, bad reputation and even business closure. Companies also take for granted the fact that the web developers themselves will test the web application they are developing. If web developers are not trained to develop secure web applications, which unfortunately this seems to be the case most of the time, testing web application themselves will only involve functionality testing, since they are not aware of what a malicious user can be up to. Surely, using web vulnerability scanners such as Acunetix WVS will help you in securing web applications, by automating most of the work for you, but the developers still need to keep up to date with what’s happening in web application security to be able to develop web applications with security in mind. Companies should always invest in training their web developers, and tools to allow them and testers to test web applications rigorously.

As the Internet user-base is growing, so is the number of those interested in getting into the Web application security field. What advice would you give them? What resources should they use?
Many web security specialists have been endlessly arguing which is the best solution for securing web applications. I personally think that there are different solutions for every different scenario, but there are also some fundamental qualities one should have when securing web applications.

1. Keep up to date with web security news. Read about what is happening on the internet and try to learn as much as possible from previous attacks.

2. In depth understanding of the web application being tested.

3. Proper understanding of the web technology being utilized for building the web application being tested.

4. Tools are there to be used and save you valuable time. Use them!

5. Although automated scans do most of the work for you, these should always be accompanied by manual penetration tests where needed, therefore one should always have above average understanding of web security.

Where do you see the current security Web application threats 5 years from now? What kind of evolution do you expect?
It is quite difficult to make such predictions, though from what we can see there might be an increase in large scale targeted attacks, like what happened in the Heartland and Hannaford data breach case. Also, looking back at what happened between 2003 and 2007, most probably the same attack vectors will still be used, unless a particularly new and innovative attack vector is discovered. Even though web technology is always evolving, and security awareness amongst web developers and users is on the increase, so does the hacker’s repertoire of capabilities and tools. Unless the problem is tackled at source, which means investing in training all the people involved in such projects and in proper testing of web applications, web hacking can never be completely eliminated.