Web Application Security
More than 60% of the total attack attempts seen on the Internet are against web applications. These attacks are being preformed widely to convert trusted web sites into malicious websites displaying content that contains client-side exploits. Ignoring the enormous number of attacks and warnings about these attacks, most web site owners do not check for the common vulnerabilities and unknowingly put the visitors of their sites at risk..
The SANS (SysAdmin, Audit, Network, Security) Institute, a cooperative research and education organization, lists Web Applications as one of their top 20 Internet Security threats/risks. The top four most exploited Web application risks, as stated by SANS, are SQL injection, Cross-Site Scripting (XSS), Cross site request forgery (CSRF), and PHP Remote File include. These account for more than 80% of the web application vulnerabilities being exploited. PHP Remote File includes allow attackers to run code on the web server that the application developer didn’t intend, commands that aren’t even on the web server. Cross-Site Scripting (XSS) enables a hacker to inject script into webpage that will be viewed, and executed, by users of the site. With SQL injection hackers have the ability to run SQL or operating system level commands that are not part of the application.
Organizations and individuals have developed a great variety of tools for testing and validating web applications. Many of the tools developed can check your web application for security threats by exploiting vulnerabilities by injecting malicious scripts, code or other inputs and generating detailed logs of the vulnerabilities for the developer or owner to fix the problems. One such tool is IBM Rational AppScan It is also important to not overlook even the smallest of vulnerabilities as they can provide gateways to other exploits. Another useful tool is Snort. It will monitor the alerts generated by an attack. So that the attack can be turned away before it causes any damages. If you cannot defend, detect. Besides using the tools suggested, the best way to defend a web application from malicious attacks is to take precautionary measures during the development stage. Such as, running frequent scans, testing for vulnerabilities and validating all inputs and outputs. When programming for valid inputs use the whitelist approach as opposed to the blacklist approach. This means to allow only valid inputs instead of checking for all the bad inputs. Also try to never give away too much information in error messages, as attackers can use this information against the web application.