Hyperguarding your Web Applications

Posts Tagged ‘software development’

Burglars, Rush Hour and Web Application Firewalls

Posted by hyperguard on October 1, 2009

Who would have thought a carpool service web site could be the stuff of pulp novels and Hollywood capers? After reading about the early September plight of RideMatch.info in the New York Times, you might not see the connection since ‘Agent Smith’ reported technically about this run-of-the-mill SQL injection attack on the popular Southern California commuter website. Dig into the details and you will assuredly start to crave popcorn and your favorite soda!

The opening shot would pan stage-left to settle on a robed gentleman at his PC. Steaming cup of java in hand, our subject clicks his mouse on SEND to whisk his phone number, address, commute time, work location, employee ID number and name to RideMatch’s member database to find a suitable carpool. Satisfied, our man walks slowly off camera.

Camera fades to black as the narrator sets the stage for drama to come, “little did Joe know his life was about to crash into those of a cat burglar, overworked web application developer and an eager hacker.”

Because a hacker had exploited a coding flaw in RideMatch’s site – the infamous SQL injection – a hacker was able to see every user’s data, pinpointing who was home when, employment information and social security numbers (a.k.a. employee ID numbers), whose value was only in the sale of this information to others. While the burglary didn’t actually happen, it isn’t much of a stretch to see that it very well could have. Would a web application firewall (WAF) have prevented this and saved RideMatch from certain liability? If configured correctly, yes.

How prevalent is this issue? Very. Here are just a few of the interesting public cases.

On August 17, 2009, the United States Justice Department charged an American citizen Albert Gonzalez and two unnamed Russians with the theft of 130 million credit card numbers using an SQL injection attack. In reportedly “the biggest case of identity theft in American history”, the man stole cards from a number of corporate victims after researching their payment processing systems. Among the companies hit were credit card processor Heartland Payment Systems, convenience store chain 7-Eleven, and supermarket chain Hannaford Brothers.

In 2008, at least April through August, a sweep of attacks began exploiting the SQL injection vulnerabilities of Microsoft’s IIS web server and SQL Server database server. The attack doesn’t require guessing the name of a table or column, and corrupts all text columns in all tables in a single request. [21] A HTML string that references a malware JavaScript file is appended to each value. When that database value is later displayed to a website visitor, the script attempts several approaches at gaining control over a visitor’s system. The number of exploited web pages is estimated at 500,000

On April 13, 2008, Sexual and Violent Offender Registry of Oklahoma shuts down site for ‘routine maintenance’ after being informed that 10,597 social security numbers from sex offenders had been downloaded by SQL injection


Posted in Post | Tagged: , , | 1 Comment »

The XaaS Landscape: Where’s Security Being Discussed?

Posted by hyperguard on September 28, 2009

The ‘as-a-service’ – or XaaS – opinion and future-casting has officially taken off. Thinking Out Cloud gives a good overview (although we have a slightly different view of the conclusion). Risk Bloggers shared a few worthy thoughts on making sure you end up with a stable XaaS (referred to as cloud) provider.

Security is the giant reality check to the hype curve here. It’s being discussed in terms of web application development from the ground-up, combined with policy changes. See Jon Oltsik’s commentary. Vendors are having their say, such as GigaSpace. Amazon of course is leading the discussion. The busy folks at Rackspace are in full tilt on the issue (as you’d expect).

So what’s missing? Only that the before mentioned musings all focus on security as a starting point before launching XaaS’s. All well and good, however, what about the raft of applications that have been pushed out of the network and live as XaaS’s right now? Are they left ‘to the wild’ as it were?

Companies can’t take the time, effort and risk of taking applications offline to refactor (or re-architect from scratch). One approach is to hook a source code scanner into your distributed Web application firewall (dWAF) to create a virtual patch until the developers can get their hands on the code and fix it. Art of Defence’s thoughts on dWAF use here.

Starting security from scratch for XaaS’s is the right thing to do, yet there are ways to shore up existing applications right now.

Posted in Post | Tagged: , , , | Leave a Comment »

Why is Cross-site Scripting Still a Problem?

Posted by hyperguard on September 24, 2009

We had some great feedback from developers in LinkedIn about this issue. Some thoughts worth sharing below.

Brian Hidgen chimed in with his thoughts:

“I perform security code reviews of internally written and commercial packages every day. It is stunning how many problems I see. Why does XSS still happen? For one, time pressure. Developers are under time constraints to deliver so they cut corners and push things out. Management for the most part does not take security seriously or they adopt a see no evil mindset and ignore the problem until they get bitten down the road. Lack of understanding is a big one too. I have been a developer for a long time and I was not trained or even sensitized to the issue until relatively recently. I know a lot of my colleagues past and present are in the same boat. We aren’t doing Cobol on a mainframe either, we are all Java/.Net/Ajax/Web 2.0 developers. The problem simply isn’t well understood and not enough attention is paid to it.”

Milton Smith shared a little more with us:

“The problem with XSS, and cyber security in general, is awareness. People don’t see security as a problem until it impacts them. Next, highly secure software is a consumer EXPECTATION. It’s not generally a feature consumers are willing to pay extra to include in their products.

Building secure solutions takes: education, training, tools, process improvements, etc. As such, it’s all too easy for commercial software vendors to bargain away the features consumers cannot see, like security. Other areas of non-functional requirements suffer as well: performance, scalability, reliability, and diagnostics.

The causes for XSS are well known. Poor cyber security is like showering in a glass bathroom blissfully unaware everyone is watching.”

Posted in Post | Tagged: , , , | Leave a Comment »