LinuxSecurity.com
Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Welcome!
Sign up!
EnGarde Community
Login
Polls
What is the most important Linux security technology?
 
Advisories
Community
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
SELinux
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Securitydistro
Latest Newsletters
Linux Security Week: August 25th, 2014
Linux Advisory Watch: August 15th, 2014
Subscribe
LinuxSecurity Newsletters
E-mail:
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

  
Vulnerabilities in Web Applications Print E-mail
User Rating:      How can I rate this item?
Source: Raymond Ankobia - Posted by Benjamin D. Thomas   
Features The Internet has made the world smaller. In our routine usage we tend to overlook that "www" really does mean "world wide web" making virtually instant global communication possible. It has altered the rules of marketing and retailing. An imaginative website can give the small company as much impact and exposure as its much larger competitors. In the electronics, books, travel and banking sectors long established retail chains are increasingly under pressure from e-retailers. All this, however, has come at a price – ever more inventive and potentially damaging cyber crime. This paper aims to raise awareness by discussing common vulnerabilities and mistakes in web application development. It also considers mitigating factors, strategies and corrective measures.

The Internet has become part and parcel of the corporate agenda. But does the risk of exposing information assets get sufficient management attention? Extension of corporate portals for Business-to Business (B2B) or developments of websites for Business-to-Customer (B2C) transactions have been largely successful. But the task of risk assessing vulnerabilities and the threats to corporate information assets is still avoided by many organisations. The desire to stay ahead of the competition while minimising cost by leveraging technology means the process is driven by pressure to achieve results. What suffers in the end is the application development cycle; - this is achieved without security in mind. Section 1 of this paper introduces the world of e-business and sets the stage for further discussions. Section 2 looks at common vulnerabilities inherent in web application development. Section 3 considers countermeasures and strategies that will minimise, if not eradicate. some of the vulnerabilities. Sections 4 and 5 draw conclusions and look at current trends and future expectations.

The TCP/IP protocol stack, the underlying technology is known for lack of security on many of its layers. Most applications written for use on the Internet use the application layer, traditionally using HTTP on port 80 on most web servers. The HTTP protocol is stateless and does not provide freshness mechanisms for a session between a client and server; hence, many hackers take advantage of these inherent weaknesses. TCP/IP may be reliable in providing delivery of Internet packets, but it does not provide any guarantee of confidentiality, integrity and little identification. As emphasised in [1], Internet packets may traverse several hosts between source and destination addresses. During its journey it can be intercepted by third parties, who may copy, alter or substitute them before final delivery. Failure to detect and prevent attacks in web applications is potentially catastrophic. Attacks are loosely grouped into two types, passive and active. Passive attackers [6] engage in eavesdropping on, or monitoring of, transmissions. Active attacks involve some modification of the data stream or creation of false data streams [6].

[Download full feature PDF]

Only registered users can write comments.
Please login or register.

Powered by AkoComment!

 
< Prev   Next >
    
Partner

 

Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Yesterday's Edition
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2014 Guardian Digital, Inc. All rights reserved.