The Future of Web Applications: Web Services
Today’s global Internet environment is a muddled mix of different operating systems, technologies, and protocols?all which are widely dispersed throughout the world. This mixture creates significant barriers for applications to communicate with each other. Web services technology was created in order to mitigate these barriers, using XML formats that allow applications to invoke application calls with one another. Using SOAP (Simple Object Access Protocol), Web services applications have more flexibility to communicate with one another, which increases the speed and functionality of communication transactions.
Although Web services have the potential to be very powerful for both application developers and users, they also can be a nightmare for security officers and system administrators. Additional security measures need to be in place because the Web services format was designed to bypass existing security measures, to be platform-independent, and to support any application call structure. In the rush to deploy and use Web services technology, companies face the real danger of exposing their systems to costly attacks.
The flexibility found in SOAP and other technologies makes communication among applications easy, but it also allows hackers to intercept and manipulate messages more easily. SOAP messages typically are transparent to firewalls, which helps them move more quickly through the network, but this negates an important element of perimeter protection and could expose unforeseen threats.
Applications continue to become more functional and flexible, which increases their value to business operations, but it also exposes many potential security problems. Progressive companies that look to take advantage of these emerging technologies may gain a significant competitive advantage, but they must be sure to address the accompanying security issues to avoid costly breeches to their information systems.
The Application Layer Security Threat
According to a recent report by Gartner, over 70 percent of Web attacks occur at the application layer. In addition, the FBI estimates that Web application attacks caused more than $300 million in damages in 2000. Hackers no longer need in-depth technical knowledge to gain access to the network or operating system. They simply use browser-based applications as an entry point to corporate information systems.
Operating Systems
Operating systems, like all software products, contain bugs?no matter how mature or well tested they are. Even if patches are applied immediately, local configurations and administrator mistakes may mean they don’t solve the problem correctly and that vulnerabilities persist undetected.
Web Servers and Application Development Tools
As with operating systems, Web servers and surrounding development tools have known vulnerabilities and patches that are well publicized. While an operating system is a single entity whose complexity can lead to configuration mistakes, in the case of Web servers and development tools, a single page can be composed of many components. Each page is therefore exposed to multiple security threats because of flaws in the multiple products used.
Network Protocols
The standard Web protocol, IP, was not designed to be secure, and neither were its companion protocols, TCP, UDP, ARP, etc. Anyone who can send packets to the network can target a system for attack. Often such attacks place Trojan horse programs on a system or exploit operating system vulnerabilities to disrupt services.
Application Protocols
HTTP also was not designed to be secure or to handle today’s multiplicity of content control and presentation tools, such as HTML, Flash, JScript, and VBScript. Originally designed for hypertext transfer that required non-persistent sessions, this protocol is now being used by business-critical applications that require it to support persistent sessions as part of a true client/server architecture. The solution to keeping session information alive is the use of cookies, which also were not designed to be secure.
Applications
Contemporary development methodologies do not include security as a deliverable, measurable component of a project. Moreover, most encourage the utilization of existing “proven” modules from other developers, without care for the security implications or previous use of these modules. Often, protocols and industry standard recommendations are sacrificed on the altar of functionality.How a System Is Attacked Through an Application
To fully utilize an application, a user must be granted operating system, network, and database privileges. The application will not function without them, but these privileges normally are hidden from the user by the application interface.
Once Web site applications begin interfacing with a browser, hackers can begin to feel the system out, trying known techniques to determine how the application responds. Once the hacker has successfully bypassed the firewall and IDS?which see his activity as “legitimate”?he can carry out a number of relatively easy application-layer attacks.
IT Infrastructure Vulnerabilities and Misconfigurations
Exploiting IT infrastructure vulnerabilities is probably the easiest way to attack an application. Thousands of known vulnerabilities exist in the basic components commonly used to set up integrated Internet environments. Attackers, keeping themselves up to date with such announced vulnerabilities, often find taking advantage of them extremely easy.
For example, in environments where Apache and PHP 3 serve the Web interface, a hacker can view confidential information in the application by sending the following HTTP request:
GET http://target/index.php3.%5c../ ..%5cconf/httpd.confIn environments where the Web server uses IIS 4.0, a hacker browsing the application can retrieve the physical location of the Web servers by sending the following HTTP request:
GET http://target/me.idqThird-party and Customized Software Vulnerabilities
Creating and maintaining a well-secured HTTP-based application is a tedious task that requires constant quality assurance and security analysis. Even if such procedures are implemented, human error or lack of specialized knowledge still might leave numerous programming errors that attackers can exploit.
Service providers often implement third-party software and customize it to their specific needs. As a result, they are exposed to both errors made by their software vendor and to “holes” created during the customization process.
For example, in any system where standard Internet development methods are used, any user can manually change hidden parameters in HTML documents and then submit the modified values to the remote server using a simple text editor or a Web browser source viewer. If the backend system does not validate input, the changes made will be accepted and updated on the server.
Executing the following URL would change the book price parameter from the original price:
http://target/book.cgi?price=$1.30In any system where remote users can send HTTP requests, a remote attacker can use any Web browser to cause a shutdown by sending an HTTP message large enough to overflow the remote Web server input buffer.
Database Manipulation and Vulnerabilities
The database is the heart of most systems and typically the most attractive target for attack. While the database itself is usually secured, it is also open to the application using it. Because in most cases applications need to perform both read and write operations, the application is usually authorized to interact freely with the database.
In a simple system, this problem can be addressed by carefully defining access rights, but it is almost impossible to resolve in complex systems. The multitude of interfaces and maintenance applications accessing the same database make designing a fail-safe system basically unfeasible.
For example, in environments where Web applications have access to a database, intruders can identify database fields by looking at the URL parameter names. Using any Web browser, intruders can modify these parameter values and use standard SQL commands to delete, modify, or retrieve unauthorized database records.
Other Common Threats
Countermeasures to Application-level Threats
In addition to the standard security devices, such as firewalls and IDSs, any organization with a Web presence must consider the following steps to secure their Web applications and back-end infrastructure from potentially devastating attacks:
All servers and connected client workstations should be able to withstand at least the most common types of attacks. All systems need to be configured correctly and the configuration must be reviewed regularly, servers must be physically protected, and the software must be patched to contain as few publicly known vulnerabilities as possible.
Dividing the network into several smaller security domains increases network security. All traffic between domains should be strictly controlled and potential problems logged. This immediately puts a limit on the maximum amount of damage an attacker can cause and makes it easier both to detect and deal with intrusions.
A company must be able to provide the right information to the right person at the right time in a scalable, manageable, and cost-effective manner. This can be achieved only by forcing users to identify themselves at the point of entry, then managing their visit through privileges.
Recently, blended threats that combine worm attacks with viruses and application exploits have caught many IT security systems off guard, and they likely will only increase in frequency. Therefore, implementing a strategy that not only protects against the delivery of viruses through email but also scans the IT environment and corrects any problems found is important.
The vast majority of existing vulnerability assessment products do not cover application-level security threats. Web application vulnerability scanners are specifically designed to provide organizations with the ability to extend their vulnerability assessment to the critical application layer. Prior to releasing a new or updated Web-based system, the application should be scanned to ensure that poor application design or development doesnt cause any security holes. This provides a standard by which to measure all applications when they are brought online before they potentially expose the system to attacks.
On a regular basis (typically once per month) the application should be re-scanned to check for the impact of new potential vulnerabilities and ensure that patches and updates have been properly installed to maintain an acceptable level of security at the application environment.
Web Application Protection
With the volume of infrastructure patches issued, the regularity of updates to applications and the increasing complexity of application components, maintaining a secure Web application through programming and system administration alone is nearly impossible.
The best way to secure the application environment is with Web application security products that are designed to monitor and secure traffic before it can reach the critical back-end infrastructure. By authorizing messages to assure their validity, these products prevent hackers from manipulating the application to cause damage or steal information. As Web application attacks have become by far the most common and typically most damaging threats, this level of protection is now a critical element to comprehensive enterprise security.
