Ethical Hacking Techniques to Audit and Secure Web-enabled Applications
As public and private organizations migrate more of their critical functions to the Internet,
criminals have more opportunity and incentive to gain access to sensitive information through the
Web application. Gartner Group estimates that 75 percent of Web site hacks that occur today
happen at the application level and this number is expected to increase. Hackers target the web
application because it easily provides access to the most valuable business assets, such as
employee and customer data (like health records and credit card information) as well as
corporate proprietary information. While most web sites are heavily secured at the network level
with firewalls and encryption tools, these sites still allow hackers complete access to the
enterprise through web application manipulation.
Attackers break into the web application by thinking like a programmer: identifying how the
application is intended to work and determining shortcuts used to build the application. The
hacker then attempts to interact with the application and its surrounding infrastructure in malicious
ways simply by using the web browser or any of a large number of automatic hacker tools, such
as CGI scanners and HTTP proxys.
Understanding the techniques hackers use to manipulate Web applications and steal credit card
data, falsify financial transactions or access proprietary information, is the first step in learning
how to secure the Web application. This article will explain why the Web application is so
vulnerable to attack and discuss three of the most common Web application hacking techniques
and detail how to protect against these attacks and protect your mission critical information.
What is a Web Application?
The first important question is “What is a Web application”? Although most people have an
intuitive notion of what comprises a Web-enabled application, rarely do we think about its scope
and complexity. Web applications are typically multi-layered entities that include code and data
residing in many places within the enterprise (see Figure 1) that can be accessed directly or
indirectly from the Internet. Some parts of the application are typically developed in house are
unique to the enterprise while others are purchased from an external vendor (e.g. web servers,
databases, etc.) and are common for multiple enterprises. Vulnerabilities in any of the layers of
the web application will ultimately lead to a security breach of the whole application.
Sanctum Inc. 2002
http://www.SanctumInc.com
Three Common Web Application Vulnerabilities and How to Fix Them
Sanctum’s auditors have performed over 300 audits and proof of concepts over the last 3 years
and have found that 97% of the assessed sites had substantial vulnerabilities. While the most
effective way to assess web applications is by using an automated assessment tool, the three
common vulnerabilities explained below can be determined and mitigated manually.
Most examples will be presented in PHP for simplicity but apply equally to all the other languages
used for the front end such as Java and Perl and backend such as C, C++ and even Cobol.
1. Hidden Field Manipulation — Hidden fields are embedded within HTML forms to
maintain values that will be sent back to the server.
Continue Reading
http://www.dl4hacks.net/Thread-Ethical-Hacking-Techniques-to-Audit-and-Secure-Web-enabled-Applications
As public and private organizations migrate more of their critical functions to the Internet,
criminals have more opportunity and incentive to gain access to sensitive information through the
Web application. Gartner Group estimates that 75 percent of Web site hacks that occur today
happen at the application level and this number is expected to increase. Hackers target the web
application because it easily provides access to the most valuable business assets, such as
employee and customer data (like health records and credit card information) as well as
corporate proprietary information. While most web sites are heavily secured at the network level
with firewalls and encryption tools, these sites still allow hackers complete access to the
enterprise through web application manipulation.
Attackers break into the web application by thinking like a programmer: identifying how the
application is intended to work and determining shortcuts used to build the application. The
hacker then attempts to interact with the application and its surrounding infrastructure in malicious
ways simply by using the web browser or any of a large number of automatic hacker tools, such
as CGI scanners and HTTP proxys.
Understanding the techniques hackers use to manipulate Web applications and steal credit card
data, falsify financial transactions or access proprietary information, is the first step in learning
how to secure the Web application. This article will explain why the Web application is so
vulnerable to attack and discuss three of the most common Web application hacking techniques
and detail how to protect against these attacks and protect your mission critical information.
What is a Web Application?
The first important question is “What is a Web application”? Although most people have an
intuitive notion of what comprises a Web-enabled application, rarely do we think about its scope
and complexity. Web applications are typically multi-layered entities that include code and data
residing in many places within the enterprise (see Figure 1) that can be accessed directly or
indirectly from the Internet. Some parts of the application are typically developed in house are
unique to the enterprise while others are purchased from an external vendor (e.g. web servers,
databases, etc.) and are common for multiple enterprises. Vulnerabilities in any of the layers of
the web application will ultimately lead to a security breach of the whole application.
Sanctum Inc. 2002
http://www.SanctumInc.com
Three Common Web Application Vulnerabilities and How to Fix Them
Sanctum’s auditors have performed over 300 audits and proof of concepts over the last 3 years
and have found that 97% of the assessed sites had substantial vulnerabilities. While the most
effective way to assess web applications is by using an automated assessment tool, the three
common vulnerabilities explained below can be determined and mitigated manually.
Most examples will be presented in PHP for simplicity but apply equally to all the other languages
used for the front end such as Java and Perl and backend such as C, C++ and even Cobol.
1. Hidden Field Manipulation — Hidden fields are embedded within HTML forms to
maintain values that will be sent back to the server.
Continue Reading
http://www.dl4hacks.net/Thread-Ethical-Hacking-Techniques-to-Audit-and-Secure-Web-enabled-Applications
No comments:
Post a Comment