By Izhar Bar-Gad

Breaches in application security don’t usually get as much publicity as e-mail viruses such as SirCam or worms such as Code Red, but they can cause just as many problems, ranging from theft of merchandise and information to the complete shutdown of a Web site. Securing Web site applications is no easy task, but unfortunately, application hacking is very simple.

A hacker typically spends a few hours getting to know the Web application by thinking like a programmer and identifying the shortcuts he would have created, had he built the application. Then, using nothing more than the Web browser, the hacker attempts to interact with the application and its surrounding infrastructure in malicious ways, causing anywhere from minor to catastrophic damage.

To prevent these problems, a company must first find its Web site’s vulnerabilities and then close the windows of opportunities that hackers exploit. This list explains the most common Web site weaknesses that hackers typically exploit to conduct their attacks.

Finding the problems
As the CTO of Sanctum, I have helped companies to identify and fix application security problems. Sanctum addresses the enormous issue of application-level security for e-business companies by providing both security consulting services and long-term defense technology to complement network security and authentication tools. Our Web application security software secures and monitors Web application behavior to ensure the program is only doing what it is intended to do.

Audits performed by Sanctum on over 100 leading Web sites simulated hacker attacks and revealed that over 97 percent of the sites had major application-level problems that could be exploited in only a few hours. Sanctum performed the audits—often called “ethical hacks” because customers request and authorize Sanctum to hack their site—by accessing a customer’s Web site just as any other user (or hacker) would: through the browser, outside the company’s firewall and network.

Aided by Sanctum’s automated Web application vulnerability assessment tool, AppScan, the auditor crawls through the site, recognizing the site’s application security policies, identifying known and unknown vulnerabilities specific to the target site, and imitating a hacker to exploit the vulnerabilities and attack the site. The success of the attacks and the severity of each vulnerability are assessed and presented to the company with a detailed report of the findings along with recommended fixes.

Common weak spots
Almost all of the Sanctum audits found that while Web sites were heavily secured at the network level (i.e., firewalls and encryption), these sites still allowed hackers to access valuable customer and corporate information, shoplift sales items, and receive free products or services. Using the following top 10 hacking techniques, Sanctum auditors were able to exploit common vulnerabilities and commit numerous cybercrimes during the ethical hacks.

  1. Cookie poisoning—Identity theft
    By manipulating the information stored in a browser cookie, hackers assume the user’s identity and have access to that user’s information. Many Web applications use cookies to save information (user id, timestamp, etc.) on the client’s machine. Since cookies are not always cryptographically secure, a hacker can modify them, thus fooling the application into changing their values by “poisoning the cookie.” Malicious users can gain access to accounts that are not their own and perform activities on behalf of that user.
  2. Hidden-field manipulation—E-shoplifting
    Hackers can easily change hidden fields in a page’s source code to manipulate the price of an item. These fields are often used to save information about the client’s session, eliminating the need to maintain a complex database on the server side. Because e-commerce applications use hidden fields to store the prices of their merchandise, Sanctum auditors were able to view the sites’ source codes, find the hidden field, and alter the prices. In a real-world scenario, no one would have discovered the change and the company would have shipped the merchandise at the altered prices and may even have sent a rebate.
  3. Parameter tampering—Fraud
    This technique involves changing information in a site’s URL parameter. Because many applications fail to confirm the correctness of common gateway interface (CGI) parameters embedded inside a hyperlink, parameters can be easily altered to, for example, allow a credit card with a $500,000 limit, skip a site login screen, and give access to alternate orders and customer information.
  4. Buffer overflow—Closure of business
    By exploiting a flaw in a form to overload a server with excess information, hackers can often cause the server to crash and shut down the Web site.
  5. Cross-site scripting—Hijacking/Breach of Trust
    When hackers inject malicious code into a site, the false scripts are executed in a context that appears to have originated from the targeted site, giving attackers full access to the document retrieved and maybe even sending data contained in the page back to the attacker.
  6. Backdoor and debug options—Trespassing
    Often, programmers will leave in debug options to test the site before it goes live. Sometimes, in haste, they forget to close the holes, giving hackers free access to sensitive information.
  7. Forceful browsing—Breaking and entering
    By subverting the application flow, hackers access information and parts of the application that should normally be inaccessible, such as log files, administration facilities, and application source code.
  8. Stealth commanding—Concealing a weapon
    Hackers often conceal dangerous commands viaa “Trojan horse,” with the intent to run malicious or unauthorized code that is damaging to the site.
  9. Third-party misconfiguration—Debilitating a site
    Since vulnerabilities are posted and patches made available on public Web sites (such as Securityfocus), hackers are alerted to new vulnerabilities as they arise. For example, through a configuration error, a hacker could create a new database that renders the existing one unusable by the site.
  10. Known vulnerabilities—Taking control of the site
    Some technologies used in sites have inherent weaknesses that a persistent hacker can exploit. For example, Microsoft Active Server Page (ASP) technology can be exploited to gain the administrators’ passwords and take control of the entire site.

Have hackers hit your site with any of these attacks?

Part of the problem with Web site security is that no one wants to admit that their site has been compromised. Would you be willing to share your experiences, in exchange for confidentiality? Help other community members avoid these problems by sending us an e-mail.

Preventing these attacks
The continuous cycle of auditing applications and trying to keep up with the latest patches is a constant battle against hackers who are armed with automated tools to scout out the newest vulnerabilities. While virtually all sites today attempt to achieve application-level security manually and ultimately fail, new automated tools have recently become available that allow auditors, developers, and QA professionals to perform vulnerability assessments and ethical hacks that catch the vulnerabilities before the hackers do. Sanctum offers several of these products, including AppShield, which detects application manipulation through the browser, and AppScan, which automates the complex task of auditing Web applications.Sanctum also provides AppAudits for companies who want to identify the vulnerabilities of their Web sites.

Izhar Bar-Gad is the CTO of Sanctum. Before joining the Sanctum team, he was a project leader for Amdocs in Israel for both the infrastructure and advanced research groups. During his military service in the Israeli Defense Forces, Bar-Gad was part of a special Internet security defense unit and led the development of a large software project involving communications and information security.