It used to be that an organization’s network-layer infrastructure was the target of most exploits and attacks. Due to the growing popularity of web and web services applications, however, organizations are faced with a whole new realm that requires protection. These complex and often times much exposed web-based solutions have become an essential part of any e-Business infrastructure. The importance of security for these solutions is obvious, but how can it be done effectively?
Buffer Overflow – This is an input validation attack that overflows a buffer with excessive data. If a buffer overflow attack is successful, a cracker can gain privileges on a system that are identical to those required to run the applications on that system. Two well-known examples of this type of attack are Code Red and Nimda.
SQL Injection – This is also an input validation attack, which sends SQL commands to a web application. These commands are then relayed the application’s database. Once a cracker has established access to sensitive information in your database the potential damage can be excessive.
Cross-Site Scripting – This is an attack where an end-user accidentally, and unknowingly, executes malicious code created by a cracker to gain elevated privileges to a secure web application. Successful cross-site scripting attacks often result in the identity theft of the end-user, and often times the end-user is unaware of the theft for long period of time.
Protect the Infrastructure and Users
Total security requires protection of all aspects of an application’s infrastructure, including operating systems, databases, as well as the application itself. Unfortunately, security requirements are often not comprehensively defined. For instance, some organizations implement one firewall and a few intrusion detection devices on their network and think they are safe. That is about as far from the truth as one can get. Each individual machine, every email, and any other piece of the application infrastructure needs to have some kind of security measures assigned to it. Also, one of the most important yet often the most overlooked item is the human factor. An organization’s users must be educated to be security-aware each and every day. Users need to understand how important their knowledge is to the organization.
Deploy Web Application Firewalls
As previously stated, many organizations feel secure after implementing a few intrusion detection systems throughout their network. A network IDS solution is very limited in the protection it can offer, which is basically inspecting IP packets for proper configuration and validating that the headers contain the appropriate information. These devices are incapable of analyzing the HTML data payload, and it is this capability that would be necessary to effectively defend web applications from being compromised. To properly secure a web-based application an organization should implement what are known as web firewalls. Unlike IDS systems, which work at the network-layer, web firewalls operate at the application layer. These firewalls have the ability to take apart the HTML data payload, and inspect the actual HTML communication involving client requests and application responses. This protects the actual web application from falling victim to things like malicious scripts being embedded within the HTML code, something that a network-layer IDS of firewall has no prayer of detecting.
Protect the SSL
It is ironic that, considering its secure and protective intentions, that the Secure Sockets Layer (SSL) has become a tool for crackers to avoid detection. SSL is the ubiquitous security mechanism for e-Commerce web sites, and its widespread user and acceptance only complicates the security issue even more. These days the most novice cracker has the ability to establish an SSL session with a web application, and this secure session provides the cracker a tunnel through which to launch attacks against the application. These attacks will not only go completely unnoticed, but since it is also encrypted, the malicious SSL traffic will be forwarded by firewalls and IDS systems with no questions asked. Analyzing SSL traffic for security purposes is only possible if the data is decrypted.
Hide the Application’s Information
Many malicious attacks are customized to exploit known security vulnerabilities in operating systems and applications. An attacker’s life is made much easier if it is possible to gather information about an organization’s application infrastructure prior to launching the attack. This allows the attacker to target specific assets of the organization, which keeps the footprint of the attack as small as possible, thereby reducing the chances of the attack being detected.
There are steps that can be taken to minimize or “hide” a web application’s information. The more pieces of the puzzle that remain a mystery to the cracker the better:
- Remove as many server response headers as possible. This will make it more difficult to determine the type of web server being used.
- Encrypt as much information as possible. For example, cookies and URLs
- Remove HTML comments. I know, I know, this goes completely against what developers have always been told – to document as much as possible. However, many comments in application code can be dead giveaways about the application, and even worse, may contain sensitive information such as database connection details. Keep comments to a minimum within the HTML, and keep the details in a separate document.
These are just some of a number of things administrators, developers, and end-users can do to protect their organization’s data. E-Commerce applications and web services are becoming increasingly complex, and organizations are becoming so dependent on the technologies that a single failure within the infrastructure could spell disaster. It is essential for companies to remain informed of the latest threats and security solutions, and they should be willing to make the necessary investments to implement a comprehensive, multi-layered, security solution.