Web 2.0 may be a blessing to many of us, especially in online business today, and over the years we’ve been seeing more and increasingly complicated and sophisticated services built around this technology pop up.  Xing, LinkedIn, Facebook, YouTube, RSS feeds and other web services have all become an everyday part of our lives. 

However, there is a dark side to Web 2.0.  Its greater complexity of tools and applications can be seen as a nightmare as you can imagine, a diverse group of software applications working together behind the scenes to bring us a whole slew of wonderful applications/services across the globe.   Many of these websites and web services are constantly under attack but not many people actually know this. 

How many of us would actually realize that websites are prone to coding imperfections and are therefore prone to hacker-exploitable vulnerabilities?

Asian eMarketing recently caught up with Anthony Lim, Rational software security director of IBM Asia Pacific, to find out why Web applications are coming under attack.  According to Lim, this can happen because the IT security solutions that we are familiar with (firewalls, IPS, access control, authentication, etc) deal with IP (network) traffic and hence typically do not stop web attacks, which are http traffic.  It’s because of this that hackers are having a field day as not is it only a new area for them to exploit but there are also little or practical defenses at the moment.

Lim also reiterates that at the moment, very few people are aware, understand or care about web attacks or coding vulnerabilities at all.  “It’s a cultural thing,” he explains.  “Half don’t know about it and the other half don’t care.  Why? 

Some of the popular web application exploits like parameter tampering and SQL injections can easily be prevented, and the method of preventing them is not proprietary to IBM or a secret practice.  The answer is simple, and called “input validation”.  This is a basic programming security practice which for some strange reason few people actually bother to include.

A most basic application vulnerability – “buffer overflow” - has been around for 25 years, yet its still happening rampantlhy.  Secure-coding need-awareness was created 20 years ago, but to date not a lot of people seem to care.

Elaborating, Lim adds that basic programming security techniques like “access control” and “input validation” can eliminate 80% of standard application attacks such as SQL injection.  “But again, most people don’t pay attention” he says.

Again the question is why?  Lim says that it’s mainly because many people don’t know or understand these threats and therefore don’t deal with them, or due to resource constraint pressures, don’t want to deal with them.  It’s like an ostrich sticking its head under the sand,” he notes.

He points to 2008’s Monster.com data leakage case.  “The first thing the IT Security folks would check upon the breach discovery typically is the firewall logs and they of course would find nothing wrong.  Then they’ll check the IPS logs and again nothing.  Then they’ll panic …

It turned out to be a web application attack that stole a hundred thousand or more CV’s – think about all that privacy and confidential data that got compromised …

Types of Web Application attacks
Two of the most common attacks are SQL injection and Cross-site scripting.  There are dozens more types of web app attacks.

In SQL injection, an attacker sends a database SQL command which is executed through and by a web application, exposing the back-end database.  SQL injection can occur when a web application utilizes user-supplied data without proper validation or encoding as part of a command or query.  The specially-crafted user data tricks the application into executing unintended commands or changing data.  It allows an attacker to create, read, update, alter or delete data stored in the back-end database.  In its most common form, SQL injection enables attackers to access sensitive information like financial or transactional data and personal information like cell phone numbers and credit card numbers.

Cross-site scripting allows code injection by malicious web users into the web pages viewed by other users.   An exploited cross-site scripting vulnerability can be used by attackers to bypass access controls such as the same origin policy.  Vulnerabilities of this kind have been exploited to craft powerful phishing attacks as well as browser exploits.  In 2007 alone, cross-site scripting on websites were roughly 80% of all documented security vulnerabilities.  During a cross site scripting attack everything may look fine to the end user, but in actuality they are being subject to identity theft, unauthorized access and so on.
Lim also mentions a new kind of Web-based Man-in-the-middle attacks .   This case was first published at the recent OWASP APAC 2009 Conference in Australia.

At the same conference, another presentation showed how Microsoft’s new Internet Explorer 8, which is cleverly designed to include a built-in anti-cross-scripting filter, can already still be bypassed.  “We’ve heard of zero-day attacks but now we’re looking at MINUS-day attacks!” he jokes.

Lim applauds Microsoft’s being both proactively defensive, and addresses a clear and present danger by including an anti-cross-site-scripting filter in IE8.   What the hack demonstrates though, is the threat web application attacks pose today.”

Web application attacks, like network attacks and worms, are just even worse over time, at least until people learn to write programs defensively, predicts Lim.   “Just recently there were two stories of Google vulnerabilities circulating.  All of which hopefully have been fixed already.  Also, there was a news report about the US FAA going down a few weeks ago and it looked like it was a web attack,” says Lim. 

“The firewall today is ubiquitous, so hackers know that the network/gateway is no longer the first place to try to hack.  They need to find a new entry point into your infrastructure and steal your database, and this new entry point your world-facing web application.”

He stresses that hackers attack web applications not for the sake of attacking them and it is also not the application they want but rather, they are trying to find a way into the user’s database server to of course, steal data. 

Another reason why web applications are under attack, says Lim, is because of their large footprint.  “Ten years ago, if you wanted to hack for example, say MediaBUZZ, you needed to do a lot of discovery to find an IP address of the correct server you want to hack into, because an IP address is just a bunch of numbers – eg. – is this your mail server? Printer? Router? Laptop? PDA? File server? …
A good deal of homework was needed therefore, in order to hack then.  Today however, it’s definitely much easier.  Forget IP addresses.  Try Mediabuzz.com.  Wrong?  Mediabuzz.com.sg?  Mediabuzz.net?  Still wrong?  Google Mediabuzz and you will get it   Once you get the organization’s home page, you’ve found your starting point of attack.

Social networks have a huge target on their backs.  Facebook for example was attacked no less than 3-4 times in the past year.  Lim shares that there are 2 reasons why Facebook is a target.  Firstly, many people unwittingly put personal and professional data on it.  “Facebook is trying to become like LinkedIn – and vice versa - and unfortunately, many people think so too.  This creates a gold mine, pardon the pun, for hackers to attack Facebook to mine the data,” he points out. 

Secondly, Facebook does not have a professional obligation to keep users’ data safe.  “They never asked us to put our personal information on it.  (LinkedIn is another story). Similarly, when you go to Starbucks and use their wireless for free, you cannot expect them to have a firewall to protect your data for you.  They are after all, already providing the wireless service for free.  It’s the same principle for Facebook,” Lim elaborates. “Bearing all this in mind, you can just imagine all the web application attacks they are coming under and the kind of protection they need.”

So why can’t more be done?  Again, it boils down to the lack of awareness of web application attacks.  The issue says Lim is this: Firstly, traditional security solutions like firewalls, anti-virus and so on are all infrastructure/network solution-focused.  Therefore, typically, IT security professionals are from the infrastructure network side.  They usually have no knowledge, experience or interest in application development.  On the other side of the ring, software application developers usually don’t know or don’t care about network infrastructure and security.  “So you can imagine the big gap in the middle and why the hacker has a field day,” notes Lim.

In many organizations these two departments – security and development - and these two don’t normally talk to each other.   “Again, you see the problem,” says Lim.

So how can you protect yourself from web application attacks?  Lim shares, “The best and most effective way to protect against web application attacks is to ensure you have an adequately (at worst, or defensively, at best) quality-assured application.  Quality assurance minimizes hacker-exploitable vulnerabilities in the application.  The application must therefore defend itself.”

A professionally developed, automated security testing and remediation tool, backed by worldwide, world-class, ongoing research and development is therefore needed to help you QA your application development and correct any security-associated mistakes. “You’d better QA your web application before the hacker does it for you!” he notes.

So just why are there vulnerabilities in web applications?  Lim says, ““Simply because people don’t write their programs properly.  But actually, this is not a fair statement because programmers cannot be expected to have perfect knowledge or perfect diligence.  Many people can write programs but few actually bear security in mind when doing so."

He elaborates that firstly, programmers don’t k now a lot about coding security.   Secondly, it is very tedious process, so many do not bother and thirdly, due to pressures of budget, resources and time, coupled with today’s multi-thousand-line applications, it becomes very easy to make mistakes.  “The priority is given to features and products with the best intentions of addressing security issues often remaining just that, intentions that never happen in the end.”

But it’s not all gloom and doom.  Legislators have already started to become interested in web application security with the PCI (Payment Card Industry) organization being the first to do so.  “It’s moving in the right direction,” observes Lim.  “Online trading merchants for example who fail web application security audits are not allowed to use credit card payments until they prove that they have fixed the problem.  I predict the next legislated standard will be Internet banking. 

The current economic downturn (like the last two) suggests increased use of online web services to conduct business, information transfer and communications, so we can expect not only an increased need for IT security, but nowadays – an increase in web hacking activity – and so it follows, an increase in web application security.

As a parting shot, Lim adds, “ I seriously hope Facebook and Linkedin are my customers.”

By Shanti Anne Morais