The early days of the World Wide Web
The world wide web, or the internet, was started several years ago with a very simple purpose - To share information between individuals or organizations. The information being shared was generally not of a confidential nature and as such was open to public viewing. This of course led to the development of HTTP - The only protocol used for data exchange over the web, and 'static' sites that just displayed the required information in a browser. When we say static site, we simply mean that the site looked and behaved the same way for every user viewing it, and did not provide any kind of interactivity.
The Modern Scenario
The landscape of the web however, has dramatically changed over the past few years. Static sites have now been completely replaced by 'Web Applications'. A typical web application is a site that provides some kind of user interactivity and generates dynamic content tailored to suit the requirements of every user. Examples of this range from social networking sites where users upload all their personal information, banking sites where users can carry out their financial transactions from a browser, e-commerce sites from where users can buy products, and the list goes on. The furious pace at which this kind of functionality on the web is growing now has resulted in an golden opportunity for tech-savvy attackers to steal and compromise critical information/data easily, from the comfort of their own home.
What exactly went wrong, you might ask. Well, to start off, the HTTP protocol is still the main protocol used for web transactions, and it was never designed to provide any kind of secure mechanism for the web. We remind ourselves that it was originally designed to share information that was 'public safe'. In addition to this, from a technical perspective, HTTP traffic is allowed to pass through firewalls and other network defense mechanisms, thus allowing easy access to web servers.
Another critical reason that web applications give rise to security threats is that many of the applications are created by developers who unfortunately have very little understanding of the kind of security threats their code can produce. Mostly developers are concerned with the functionality of their code and thus fail to take into account what kind of vulnerabilities their code has. To sum it all up, an attacker who compromises a web application may be able to steal personal information, carry out financial fraud and perform malicious actions against other users.
The advantages of Web Applications
It is important at this time to see why web applications have grown in prominence, and why they are so popular. It is a combination of technical factors and commercial interests that have seen the growth of web applications in such a dramatic way:-
1. HTTP : While the protocol itself is insecure, it provides certain advantages also. The HTTP protocol is basically a connection-less protocol. What this means is that a web server does not keep track of who accessed a particular site, and so session management for every user visiting a site is eliminated. This saves a lot of network overhead. Apart from this, HTTP can be combined or tunneled with other protocols to provide additional security.
2. Every user now has access to a browser, either through a computer or a mobile device. A typical web application needs to deploy it's interface to a browser and does not need to be installed as a stand alone application on a user's system. Changes required to the application can be done once on the server and they reflect in all browsers instantly.
3. Today's browsers further enhance this scenario by allowing rich and highly functional interfaces to be built and deployed.
4. The core technologies and languages used to develop web applications are simple, have a comparatively shorter learning curve and many of them are available as open source software.
Web Application Security
Web applications have bought with them their own set of security vulnerabilities. The kinds of threats have evolved over time and have gone from simple defacement of web sites to major financial and commercial frauds. The most serious attacks against web applications are those that expose sensitive or critical data and those that provide free access to the back-end database systems the application uses. Apart from this, there are what we call 'Denial Of Service' attacks that simply render a web application useless and unusable for users. This particular attack can be used at various levels, ranging from disrupting services for a particular individual to gaining competitive edge against others in the realm of financial trading, gambling and so on.
One particular technology we might be aware of is SSL. Many sites that accept credit card details for example advertise on their site about the usage of this technology and say that their site is encrypted with a 128-bit SSL feature, ensuring that the details a user enters is safe. While this is true to some extent, we need to be aware of what is going on behind the scenes here. This particular technology encrypts the traffic between a browser (client) and the web server, and so of course when credit card details are sent through the net, the encryption ensures that the information is not visible to any attacker who might be trying to intercept the traffic. However, the data is not encrypted when it is stored on the client or on the server, and so these are the two places preferred by attackers to steal this data. Some common vulnerabilities that affect web applications are as follows :-
1. Broken Authentication : This kind of vulnerability takes advantage of any weaknesses in the login mechanism of a web application. This enables an attacker to guess weak passwords or bypass the mechanism all together.
2. Broken Access Controls : This involves scenarios where a particular web application fails to protect access to it's data and functions. This enables a user to have access to highly sensitive data or carry out privileged actions.
3. SQL Injection : This vulnerability takes advantage of any existing weaknesses in the back-end database system of a web application. It enables an attacker to send custom input to the database in order to crash it, steal data from the database or carry out certain malicious commands on the database server.
4. Cross Site Scripting (XSS) : This is probably the most common vulnerability found across various web applications, and is based on the fact that a user can enter any kind of text into input boxes of a site. This vulnerability generally allows an attacker to execute scripts that allow access to personal data, actions that can be performed on a user's behalf and carrying out other attacks.
5. Information Leakage : This usually happens when an application is unable to handle certain errors or states and spits out a server error on the browser window. The information presented in the error is enough for an attacker to guess the kind of technology being used by the application and so leads to attacks being developed for that particular technology, based on it's existing vulnerabilities.
6. Cross-site Request Forgery (CSRF) : This vulnerability induces users of a particular web application to perform actions that they did not intend. Users could be redirected to a malicious web site while they think that they are on the proper site and end up performing malicious actions.
To summarize, web applications today are an integral part of our lives. However, the security threats they have given birth to are significant and have serious implications. Despite the best efforts of dedicated security professionals and solid defense mechanisms, web application vulnerabilities seem to not have diminished over the years and continue to evolve. Awareness of this scenario is the first step in educating oneself of the impending threats and perhaps to be better prepared for any unwanted situations.
Read Smaller Firms – An Easy Target For Hackers