New Web apps mean new vulnerabilities; application assessment is the answer, writes Günther Ollmann
As Internet businesses have matured, a new category of application has emerged that allows companies to interact with clients online. But alongside the business benefits of these Web-based applications are a new set of security risks.
Although based on conventional technologies, such as database, mail or Web servers, e-business applications are often subject
to design compromises imposed by the medium. Unless carefully reviewed and analysed, this can expose avoidable security risks which may outweigh the threat from traditional hacking techniques.
To optimise the use of client-side Internet bandwidth and deal with high volumes of simultaneous connections and data requests, Web-based applications tend to be split over multiple servers and frequently rely on client-side code to deliver and present data. These tiered architectures, coupled with the use of scripting-type development languages and constant changes in authentication and certification procedures, often lead to security flaws.
Increasingly, attackers exploit these flaws to compromise sites and gain access to critical systems.
Attacks against companies offering public and private Internet-based services can be broken down into three categories: traditional hacking of the hosting network, social engineering techniques, and manipulation of vulnerabilities inherent in applications.
Direct attacks against custom Web applications through the manipulation of inherent vulnerabilities have become more popular because of the relative ease with which they can be committed and the scope they offer for maintaining anonymity.
Although companies can install various defence mechanisms to strengthen security - firewalls, intrusion detection systems, operating system hardening procedures - they seldom expend much effort in securing and verifying the integrity of applications and coded pages against external attacks. Simple manipulation of client code or data, such as the price of goods in an online shopping basket application, or the sending of corrupt or incorrect data to the server, can lead to fraudulent transactions or theft of confidential information.
The press has been quick to report on how faulty application processes and input manipulation have led directly to the loss of confidential data such as banking details and credit card numbers. However, in almost all cases, an understanding of manipulation techniques combined with rigorous client-side security testing would have identified the potential failure points and resulted in a more robust application.
Web-based applications can be vulnerable to a number of attack methodologies but four types stand out:
- Buffer overflow attack. This kind of attack is aimed at application components that take data as an input and pass it to memory buffers for later use and manipulation. Failure to adequately check the length of input data before passing it into a too-small buffer is common.
Attackers often include their own embedded commands within an oversized data package in an attempt to overwrite existing application code adjoining the buffer. If successful, these commands can give attackers network privileges and controls up to, and including, those of the system administrator.
In other circumstances, the buffer overflow may suspend or crash the application, or may bring down the host server and deny access to any services provided by the system.
- Race conditions. When an application requires access to specific files, variables or data, its programmers may not have implemented multiple simultaneous accesses correctly or installed appropriate checks. This can lead to an attacker enjoying unintended access to files or data through trusted and untrusted server application components.
- Exploitation of application component privileges. Server-based application components run with specific group or user permissions, not necessarily with that of the user running them (such as an anonymous Web user). These application components, if they suffer additionally from buffer overflows or race conditions, can be used to increase access and escalate the potential damage to the system.
- Client-side manipulation. To speed up Internet connectivity and reduce performance loads at the server end, client-side validation of input and manipulation of data is often required. It can be a relatively trivial exercise to bypass this checking process and supply incorrect data or data formats to the server in an attempt to initiate any of the other three common attack formats, or to reveal confidential information and server application features.
This method also underpins a popular means of executing fraudulent e-business transactions by changing the prices of available products.
Despite all of these eventualities, the process of assessing application security is not technically complex. However, it does rely on a multi-facetted approach with a variety of technologies and techniques.
There are shrink-wrapped solutions available to automatically assess an application's security but these tend to look for the most common faults. These are best used for first-round security testing and identification of flaws but, because each application development team employs its own methodology, a closer inspection is always advisable to ensure that all eventualities have been covered.
The application assessment process
- Visible code and data is checked for information that could be used in social engineering attacks or provide clues as to how an application functions
- The information that can be learned about the server-side environment is examined
The application's "validation and bounds" are inspected and routines checked to ensure effective handling of unexpected data lengths and formats to guard against buffer overflows
Client-side code and locally stored data, such as cookies and session information, is manipulated to discover whether authentication checking can be subverted and to establish the bounds of server reliance on client data fields
- Application-to-application interaction between system components, such as the Web service and back-end data sources, is examined. Attempts are made to reference system components by impersonating other system functions or sources. Redirection methods and messaging functions are closely examined
- Techniques that could be employed by attackers to escalate their permissions by referencing application components with higher server-side permissions, or exploitation of race conditions to identify lax permission or authentication checking, are identified
- Attempts are made to subvert in-transit data between the client and server system. Data delivery methods and the likelihood of their subversion or use in a replay-type attack, or other session-orientated attacks, including an analysis of system responses to such data, are examined
- The robustness and resilience of authentication methods to subversion techniques is examined. Attempts are made to bypass authentication processes and/or impersonate valid logged-in users. User segregation methods and server-side responses are analysed
An overall examination of the application's deployment and security configuration from perceived threat models is carried out
- Assessment of secure deployment methodologies for the application based on market considerations, new vulnerability developments and attack methodologies.
Application assessment or code review?
A code review involves a detailed examination of all the code associated with an application, both server and client, and is useful for identifying code sequences that may lead to a buffer overflow.
An application assessment is designed to test the resilience and security of a Web application from the client side, focusing on security functionality and implementation subject to the inherent inadequacies of the Internet delivery mechanism.
Code reviews tend to be expensive due to the time required to sift through the code and they are unlikely to identify as many security flaws as an application assessment.
Application assessment or pen test?
A pen (penetration) test is designed to identify inadequacies in the security configuration of physical devices and the exploration of well-known vulnerabilities.
An application assessment is customised to the newly developed and unique environment. There is no overlap between the two security testing mechanisms and they are designed to complement one another.
A pen test is a vital process in the assessment of Web system security as it focuses on the infrastructure that constitutes the site. Pen tests are used to assess all externally visible system components (firewalls, routers and Web servers).
Security experts recommend that assessments of new Internet-facing infrastructure are conducted in three-phases: an on-site assessment, an external pen test, and an application-specific assessment.
Günther Ollmann is principal consultant for security assessment services at Internet Security Systems.