Issue 53 - September 2007
In the past, security measures were often focused on the system level (which included networks, operating systems, web servers, and database servers). People may think their websites are safe from hackers if they have a "perfectly" secured system. This may be true if their websites provide only static information without accepting any input from users.
As you may know, most websites (or web servers) today provide dynamic contents, that is, the web applications run on these websites accept and process users' input, upon which web contents, consisting of both executable codes (script) and/or data, will be generated dynamically on-the-fly and sent to clients' web browsers for execution and/or display. And, most of the time, these executable codes work with backend database server to provide dynamic contents. Then what are some common web application security flaws under these kinds of environments?" Can a hacker use these security flaws to fool the web application on a web server to delete all the data of its database or implant some codes in the web server to infect the users' PCs or to trick the users at the client browsers to send in their bank accounts and passwords? We will try to answer these questions below. It is suffice to say here that even though one can perfectly secure his/her website at the system level yet if security loopholes exist at the web application level, it is still relatively easy for hackers to perform the forgoing damages.
The awareness of web application security is increasing as more and more security incidents have been reported at the web application level. Several technical initiatives, such as OWASP, OASIS, and WASC, have been formed to address the causes of insecure web applications and to establish an open standard for web application security.
Web Application Vulnerabilities
There are over 300 issues that affect the overall security of a web application. These 300+ issues are detailed in the OWASP Guide. But in short, the root cause that leads to web application security problems is poor web application design and programming approach. With the rapid change of the internet world, developers are usually urged to finish programming in a short period of time. Coding that handles security issues are often overlooked. Furthermore, the occurrences of programming errors may also increase with the growing demand on the functionalities of websites, to which a variety of new services are constantly sought to be added.
Knowing the vulnerabilities and their causes are important for developers and content managers to maintain secure websites. We will briefly discuss two of the top web application vulnerabilities here. Interested users may also refer to the OWASP website where the topic is discussed in great depth.
1. Cross-site scripting (XSS)
XSS can generally be divided into two categories: reflected and stored attacks. Reflected XSS is found on a page which reflect a user's input string directly back to the user. Take ASP as an example, such page usually contains a line of code like
<script>alert('XSS has been found');</script>
By inserting appropriate codes, hackers may do the followings:
Stored XSS is quite similar but users' inputs are stored in files or databases and at a later stage, they are extracted and used for generating web contents. Typical examples are blogs and forums, where a large number of users may view the input of other participants.
XSS attacks can be avoided by carefully validating and encoding users' input. Allowing only a strict pattern of input from users is an important key to secure web applications. Developers should also encode users' input in order to ensure any scriptable contents are converted to plain text when used for generating web contents. Encoding users’ input can be done by using standard controls of the corresponding language. Take VB.NET as an example, encoding can be done by the function HttpUtility.HtmlEncode. (Sample codes are shown below.)
2. SQL Injection
Another software vulnerability is called SQL injection. It is a method of attack which uses invalidated input data to exploit vulnerable codes of a web application to extract, modify, and/or damage the database that is connected with the web application.
Consider a login form of a website and its application behind is making use of users’ input to build a dynamic SQL statement without input validation. The web application will have a line of code looks like:
The above statement will work without problems for a normal user who input his/her username and password in the form. But what if a hacker input your username, say "paul_chan", to the username field and input a string like
0' or '1' = '1
to the password field?
The SQL statement above will become
Execution of this SQL statement will return the record of "paul_chan", allowing the hacker login to your account successfully without knowing your password. In certain circumstances, SQL Injection can even be used to take complete control of a system!
To prevent from SQL Injection attacks, the best practice is to make use of parameterized queries. Take VB.NET as an example again, the code should look like:
In this way, users’ input will not be used to construct the SQL command. Any string that a hacker input will be completely inserted as a parameter. An error would still be generated, but it would be a simple data-type conversion error, and not something that a hacker could exploit. Developers can even insert simple error exception checking statements to prevent error messages from displaying on the web.
The Solution: A Web Application Scanner
Three approaches are required for maintaining secure web applications: Web application scanner to find out embedded vulnerabilities, web application firewall to protect web security real-time and web application code scanner for developers to develop safe web applications. Below is a description of one of the approaches CityU has employed to improve web security.
Although good programming practices can greatly improve application security, it is still hard to guarantee that an application is completely free of software vulnerabilities. Furthermore, a large number of web-based applications and the software libraries they use were written years ago. It is difficult to ask the original developers to check and see if the codes are secure. If employing other programmers to do the job, they may need to trace all the codes from the beginning to end in order to search for security loopholes. The manpower involved is enormous. Besides, many of CityU’s departmental web applications were written by research assistants or even students. Most of them have already left CityU.
Fortunately, with the help of a scanning tool, we can easily check for software vulnerabilities within web applications, pin-point them and fix them. This is where web application scanners come into play.
A web application scanner is a kind of "hacker-in-a-box" which sends messages (or harmless attacks) to target websites and listens for responses. The scanner will then search for possible security vulnerabilities by analyzing the responses. A report will usually be generated to allow developers and system administrators to identify and fix the security vulnerabilities. A good application scanner can check web applications for all the known security problems, and thus further improve application security.
As always, there can never be a perfect web application scanner and prevention is better the cure, the web application thus must be designed and written with security-at-its-core in mind.
There are many scanning tools in the market, such as WebInspect from SPI Dynamics (recently acquired by Hewlett-Packard) and AppScan from Watchfire (recently acquired by IBM). In the past few months, the Computing Services Centre (CSC) had evaluated some of these scanning tools and tested them by performing security scanning on a few systems of our own. When the CSC has fully mastered the tools, we will provide the web application vulnerabilities scanning service to departments.