|
Vulnerabilities in Web Applications |
|
|
|
Source: Raymond Ankobia - Posted by Benjamin D. Thomas
|
[Download full feature PDF] - The Internet has made the world smaller. In our routine usage we
tend to overlook that "www" really does mean "world wide web" making
virtually instant global communication possible. It has altered the
rules of marketing and retailing. An imaginative website can give the
small company as much impact and exposure as its much larger competitors.
In the electronics, books, travel and banking sectors long established
retail chains are increasingly under pressure from e-retailers. All this,
however, has come at a price – ever more inventive and potentially
damaging cyber crime. This paper aims to raise awareness by discussing
common vulnerabilities and mistakes in web application development. It
also considers mitigating factors, strategies and corrective measures.
The Internet has become part and parcel of the corporate agenda. But
does the risk of exposing information assets get sufficient management
attention? Extension of corporate portals for Business-to Business (B2B)
or developments of websites for Business-to-Customer (B2C) transactions
have been largely successful. But the task of risk assessing
vulnerabilities and the threats to corporate information assets is still
avoided by many organisations. The desire to stay ahead of the competition
while minimising cost by leveraging technology means the process is driven
by pressure to achieve results. What suffers in the end is the application
development cycle; - this is achieved without security in mind. Section 1
of this paper introduces the world of e-business and sets the stage for
further discussions. Section 2 looks at common vulnerabilities inherent
in web application development. Section 3 considers countermeasures and
strategies that will minimise, if not eradicate. some of the
vulnerabilities. Sections 4 and 5 draw conclusions and look at current
trends and future expectations.
The TCP/IP protocol stack, the underlying technology is known for lack of
security on many of its layers. Most applications written for use on the
Internet use the application layer, traditionally using HTTP on port 80
on most web servers. The HTTP protocol is stateless and does not provide
freshness mechanisms for a session between a client and server; hence,
many hackers take advantage of these inherent weaknesses. TCP/IP may be
reliable in providing delivery of Internet packets, but it does not
provide any guarantee of confidentiality, integrity and little
identification. As emphasised in [1], Internet packets may traverse
several hosts between source and destination addresses. During its
journey it can be intercepted by third parties, who may copy, alter or
substitute them before final delivery. Failure to detect and prevent
attacks in web applications is potentially catastrophic. Attacks are
loosely grouped into two types, passive and active. Passive attackers
[6] engage in eavesdropping on, or monitoring of, transmissions. Active
attacks involve some modification of the data stream or creation of
false data streams [6]. [Download full feature PDF]
Powered by AkoComment! |
