Given that corporate security is only as good as its weakest link, Web applications — arguably the weakest link — were the subject of a hacking workshop held in Toronto on Thursday.
Covering topics such as cross-site scripting and SQL injection, Matt Fisher, a security engineer with Atlanta-based SPI Dynamics, lead attendees through a hacker’s perspective of the soft underbelly of today’s corporate Web presence.
On almost every Web site “there will be cross site scripting and SQL injection (vulnerabilities),” Fisher said. “Guaranteed.”
The problem exists because the paradigm for data use has changed, he said. Just a few years ago corporate and customer data was stored on mainframes, far away from prying eyes. Today, that same data “is on the edge,” Fisher said. “Everything is going to the Web.”
While the Web is a good delivery method for data, it is a difficult medium to secure since many of the security holes need nothing more than a Web browser to exploit them, Fisher said.
Though vulnerabilities such as buffer overflow get a lot of media attention since they affect all the operating systems and applications that have them — if Windows 2000 has a vulnerability they all do — they are more difficult to exploit, Fisher added. In fact, of a room full of security people, only one person admitted to knowing how to craft one.
But Web applications, often created in-house and thus unique, can frequently be hacked by nothing more than right clicking on a Web page, pulling out some badly written source code in the form of HTML comments and placing them into the address bar. “Comment your source code but do it on the server side…not in the HTML tags,” he said.
This apparent no-brainer is more common than is often thought, Fisher said. Web applications are built for user acceptance and are stress tested against traffic loads, but infrequently have security built in at the development phase. “For the most part developers aren’t taught security,” he said.
Several attendees agreed. Developers’ understanding of the importance of security “is still shaky…but it is getting there,” said Tim Dafoe, a senior security designer with the provincial government. Though he and the other security people he works with are aware of techniques such as SQL injection — SQL queries that allow potentially harmful characters to be used — developers tend not to be. One of the reasons is the inherent gap between what developers know about security and what security people know about developing. “The gap is closing, though,” he said.
Mike Pill, who manages developers at a municipally run organization, agreed that developers are often unaware of the exploits used by hackers to break their Web creations. “It’s not taught in school,” he said.
The SQL injection technique — “by far the most lethal attack out there” — requires only one parameter to be hacked to compromise an entire Web site, Fisher said. Something as innocuous as a poorly coded page where a postal code is used to request driving directions from a database can generate enough information for a hacker to subsequently take over the entire site. And since the page in question contains no sensitive customer data, its security is often overlooked.
On the up side, as porous as Web applications tend to be, they are not difficult to harden if security is actually built in at the development phase, Fisher said. But the challenge facing many companies is, in fact, doing just this. Senior management is starting to understand the scope of the problem but “very slowly,” Pill said.
Even if Web applications are built with security as part of the process, the job is far from over.
“You can’t just assess (a Web site) once and forget it…you have to continually assess,” Fisher said. Unfortunately very few companies do this, he added. SPI Dynamics has a product, WebInspect, which automates the process of Web site security assessment.
In true security conference fashion, attendee’s name tags had titles but no corporate affiliation.
