Breaking websites without touching the application

Just as there is more than one way to skin a cat, there are many ways to break a web application. When I speak to developers and ask them if they are producing a secure system, the answer I’ll get will usually mention validation and SQL Injection and so on. Good stuff. But is it all literally secure?

A neat trick I used to use when web security was the main focus of my job was to trawl the Internet looking for information posted by developers working on the system I was interested in. Google Groups, for instance,  can be a great place to look for postings made by developers looking for help resolving problems and they often include code snippets (somewhere out there is a question I posted to a programming forum twelve years ago, still there for the world to see. Hopefully the application I was working on at the time isn’t!). Finding snippets of code can provide you with a great insight into how the system is being developed and clues as to how to break it.

These days, of course, developers have their own blogs and belong to various online communities. A fact discussed in this article entitled “Tiger Team member attacks developers, not apps.” The article makes the point that with the right amount of reconnaissance, access can be gained to a web application without ever touching it. Chris Nickerson says: “Instead of spending time going through the application

first, I figure out who the developers are,” he says. “If they have

Twitter accounts, MySpace pages, personal email accounts, and phone

numbers… I start profiling them. I can guarantee I will find code

faster than those who are directly touching the code.”

It’s an excellent article that highlights the point that website security is more than just validating input so that the vulnerability scanner gives it a green light, and in fact, is more than just about writing secure code. You also need to consider the security of the code itself and treat it as an asset to be protected.