Web application security - the rise of the worm!

In part two of our series on web application security Patrick Gray explores worms and other threats.

There have been some interesting examples of hackers messing with Web applications. A surprisingly effective worm hit what is perhaps the most popular Web app in the world, MySpace, in 2005.

The so-called Sammy worm relied on weaknesses in both Internet browsers and MySpace's content checking systems. Malicious Javascript content was uploaded to a MySpace profile which, if viewed, would compromise the security of the visitor's browser. The Javascript would then be added to the visitor's profile, so anyone visiting that page would in turn be infected.

The Sammy worm infected a million pages in 24 hours. While most enterprises in Australia aren't writing applications as sophisticated as MySpace, the lesson remains the same: "Never trust user supplied input. It's easier said than done, but... you can make it more challenging for the bad guys," says Jeremiah Grossman, the CTO and founder of WhiteHat Security. "The Website should be able to protect itself against a malicious user base."

In what many hackers -- on both the good and evil sides of the fence -- may refer to as the good old days, "exploring" corporate networks was a cinch. Networking software wasn't designed with security in mind, so finding buffer overflows and stupid coding mistakes in popular network daemons was as easy as ABC. Once you had an exploit for a standard service -- like Sendmail or Apache -- off you went. But messing with Web applications is different. You're dealing with custom code, not off-the-shelf software.

Over time, security boffins have worked hard finding bugs and vulnerabilities in the standard software we depend on and developed technologies that can scan source code for sloppy technique.

Alas, the same type of technologies simply can't be developed for Web application vulnerabilities -- too often the vulnerability lies in flawed business logic, not bad coding. "This is why Web security is so challenging. It's vulnerabilities like that we can't find through automated means. A scanner doesn't understand what that feature does or what it's supposed to do," says Grossman. "[The vulnerabilities] have a lot to do with business logic."

Read more on Web application security