Web applications are a potent target for attackers because our lives and businesses revolve around the Web. The interconnectedness of sites and applications is both blessing and bane. At the same time that there is a multitude of information available to us, there’s also a multitude of information about us available to criminals. Exploited Web applications can also be used to gain unauthorized access to end-user devices such as computers and smartphones. Attacks on Web sites frequently leverage visitors’ trust in those sites to plant malware on visitors’ devices.
In many ways, the application layer is the hardest to defend. The vulnerabilities and exploits found on the application layer can be complex and hard to test for proactively. Plus, the application layer is the most accessible. Security is typically built as a fortress to hold information inside, but Web applications by definition require access to and from the outside world. Network security teams can’t simply lock down ports and inspect traffic like they can on the corporate network.
The best defense against attacks on Web applications is—surprise!—to develop secure applications. Application security is a growing field. Web application security (and application security in general) used to take a back seat in the development and acceptance process, but no longer. Most Web development shops have integrated security testing into their acceptance process. Developers are now expected to have security classes under their belts.
The Open Web Application Security Project (OWASP) Foundation is an international non-profit open community dedicated to enabling organizations to promulgating application security by providing free tools and research documents. OWASP focuses on web applications and makes some really good open source test tools which I’ll write about in another posting.
OWASP produces a report every few years called The OWASP Top Ten that describes the most critical web application security flaws. The most recent report, Top Ten 2013, details vulnerabilities such as:
- Injection : When untrusted data is sent to an interpreter as part of a command or query that tricks the interpreter into executing unintended commands or allowing unauthorized data access.
- Cross Site Scripting: When an application takes untrusted data and sends it to a web browser without proper validation, allowing the attacker to execute scripts in the victim’s browser.
- Using Components With Known Vulnerabilities: Components, such as libraries, frameworks, and other software modules, typically run with full privileges. This means that if a vulnerable component is exploited, the attacker now has full privileges and the results can be severe. Web applications built on top of components with known vulnerabilities expose themselves to attack.
OWASP also makes a lot of really good test tools that I use extensively as a consultant and a writer. I’m always testing something. I love the flexibility of many of the OWASP tools. One day I can use them to test web applications, the next to test a web application firewall, and the next to the security aspects of application performance management hardware. I especially like tools that let me set up a compromised web application server. I use those to test endpoint protection software. I typically set up a web server that runs client-side exploits to evaluate the active protections in endpoint protection software.
Here are some of my favorite OWASP test tools:
- Use the Zed Attack Proxy (ZAP) Project to find vulnerabilities in web applications. ZAP was intentionally designed to be easy to use so that you don’t have to be a security expert to use it. ZAP provides automated scanners that can be scheduled to conduct regular scans and a set of manual test tools for on-demand scans.
- XSS exploits account for a significant number of data breaches. The Xenotix XSS Exploit Framework is an advanced Cross Site Scripting vulnerability detection and exploitation framework. The framework runs scans within browser engines to get real world results and can run 4800+ distinctive XSS payloads.
- O-Saft, or the OWASP SSL advanced forensics tool, is an SSL audit tool that shows detailed information about SSL certificates and tests SSL connections from the command line. The tool can run online or offline to assess SSL security such as ciphers and configurations. There are built-in checks for common vulnerabilities and the tool is easily extended by scripting. There’s also a simple GUI available as an optional download.
- The Offensive Web Testing Framework (OWTF) is an automated test tool that tests following OWASP testing guidelines and adheres to the NIST and PTES standards to probe web and application servers for common vulnerabilities such as improper configuration and unpatched software.
With these tools in your repertoire, you can work to keep your Web application secure and safe, both for those utilizing it online and for your reputation in creating applications that protect their users.
Matthew David Sarrel has been practicing and writing about network and information security for over 20 years. He is Executive Director of Sarrel Group, an editorial services/content marketing, product test lab, and information technology consulting company. He is a Contributing Editor for PCMag.com, Triple-G Editor for Backayard Magazine, and contributor to Infoworld, Programmable Web, and numerous other sites and publications. Previously, he was a technical director for PC Magazine Labs. Prior to joining PC Magazine, he served as VP of Engineering and IT Manager at two Internet startups. Earlier, he spent almost 10 years providing IT solutions in HIV-and-TB-related medical research settings at the New Jersey Medical School. Mr. Sarrel has a BA (History) from Cornell University, an MPH (Epidemiology) from Columbia University, and is also a Certified Information Systems Security Professional (CISSP). Mr. Sarrel has written for and spoken to numerous international audiences about information technology and information security. He participated as an expert in two Federal Trade Commission workshops, one about spam in 2003 and one about spyware in 2004. Follow Matt on Twitter and on Instagram.