Tip

Finding and blocking Web application server attack vectors

Malicious malware has been a problem as far back as any of us can remember. As seen with the latest Storm Trojan, this trend does not seem to be slowing down. Yet the malware problem could

Continue Reading This Article

Enjoy this article as well as all of our content, including E-Guides, news, tips and more.

soon be dwarfed by the growing wave of attackers stealing mountains of confidential information by exploiting vulnerable Web application servers.

Listen to this Threat Monitor tip

Download Peter Giannoulis' Web application server advice to your PC or favorite MP3 player.
Why are Web application servers targets for attack? They are publicly accessible and tie into back-end database servers, which store a gold mine of information for criminals. How are attackers' cracking into back-end database servers using front-end Web applications? Here are a few of the most popular methods.

SQL injection
SQL injection attacks are becoming a popular vector for stealing confidential information on the Internet. An SQL injection involves an attacker inputting a SQL query in a search field of a Web form. If the query is accepted by the Web application, it's passed to the back-end database where it's executed, if read/write access is granted from the Web application to the database server. This could result in two scenarios; the attacker viewing the contents of the database, or deleting the contents of the database. Neither instance is good.

Contrary to popular belief, SQL injection attacks do not require advanced knowledge. In essence, these attacks can be performed by anybody with a basic understanding of SQL and a list of queries that are available on the Internet.

For more information

Ensure that your personal information is being protected while using a Secure SSL connection.

For more information about Web server security, visit SearchSecurity.com's Web server security resource center.

In SearchSecurity.com's Intrusion Defense School, learn about your organization's vulnerability to viruses, attacks and other threats.
Blind SQL injection
Blind SQL injection is another method of launching attacks, but with a slightly different approach. When performing a standard SQL injection, an attacker inserts a SQL query into a Web application, hoping it will cause the server to return an error message. These error messages can grant the attacker the necessary knowledge needed to perform a more precise attack. Database administrators have been led to believe that sanitizing error messages would correct the underlying issue that caused SQL injection. What administrators have failed to realize is that although this conceals the error message, the vulnerability still exists. It's a tad tougher for the attacker, but instead of using error messages to gather information, the attacker flies blind and sends crafted SQL queries to the server, hoping to gain access to the database.

Cross-site scripting
Cross-site scripting, otherwise known as XSS or CSS, is a technique used by malicious hackers to compromise vulnerabilities in a Web application that serves dynamic Web pages. Many of today's Web sites are serving up dynamic pages that consist of information from multiple sources built "on-the-fly" for the user. If the webmaster is not careful, malicious content can be injected into the Web page to gather confidential material or simply execute on users' systems.

Countermeasures
There are many countermeasures for thwarting Web application server attacks. Awareness is definitely among the most important. Many organizations are focusing on the preventative measures that need to be applied without trying to learn how these attacks are performed. Not understanding how Web application server attacks work makes countermeasures ineffective, and simply tossing firewalls and intrusion prevention systems at the problem won't help. For instance, if your Web application server is not filtering user input, you can easily be subjected to the types of attacks mentioned above.

Another key to staying ahead of attackers is to conduct a thorough audit of your Web applications on a regular basis. Johannes Ullrich wrote a great article on how to audit your Web application over lunch using some simple techniques and Firefox plug-ins.

About the author
Peter Giannoulis, GSEC, GCIH, GCIA, GCFA, CISSP, is an information security consultant for Access 2 Networks, a Toronto, Ontario based security consulting firm. He also serves as a technical director for GIAC.

This was first published in June 2007

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.