Running a secure Web site means more than just guarding against cross-site scripting and SQL injection attacks. Flaws in the business processes that underlie Web sites can also present serious security risks, the CTO of a Web security company said Thursday.
Flaws in the processes, or business logic, for Web sites can prove highly profitable to hackers, require little skill to exploit and are sometimes technically not illegal to take advantage of, said Jeremiah Grossman, CTO of WhiteHat Security, at the Source Boston Security Showcase.
"These issues are common if you know what to look for," he said.
He offered several examples of these flaws, including those found in Web site designs, Captcha authentication systems and user privileges. People who take advantage of them are often simply banned from using a service, although sometimes they are prosecuted.
In 2007 a woman was accused of scamming QVC out of $412,000 by exploiting a flaw in its business logic. She placed orders for 1,800 items with the home-shopping network and then cancelled the orders on its Web site. She received credit for returning the merchandise, but the items were sent to her anyway and she sold them on eBay, the Department of Justice said. QVC became aware of the matter when eBay users contacted it about receiving items still in its packaging. The woman eventually pled guilty to wire fraud.
Password reset features can lead to unauthorized account access if they ask obvious questions and hackers have minor pieces of information about their victims. Grossman offered an example involving former mobile service provider Sprint. To reset its passwords, he said, a hacker needed to know only a person's mobile-phone number and a basic piece of information such as where they lived or the car they drove. This could have allowed a hacker to order new phones in the victim's name or install new services on their phone.
E-coupons pose a risk to merchants if coupon numbers are close to each other sequentially. One retailer saw some of its high-priced items selling for a few dollars after a hacker wrote a script to uncover coupon numbers that differed by only a few digits, Grossman said. The retailer discovered the problem when its system logs uncovered an abundance of orders being processed at night while the hacker's script ran.
Hackers can persuade other Web surfers to solve Captcha tests for them by luring them to Web sites with the promise of free music or adult content. Captchas require a person to decipher a string of jumbled characters to sign up for services such as a Web e-mail account. The Web surfers solve the Captchas, which are sent via proxy server to the hacker, who then uses them to sign up for multiple e-mail accounts for sending spam or some other activity.
"As long as you have enough users coming to your Web site, you have the Captcha solved," said Grossman. "Bad guys want to defeat these Captchas so they can spam us."
Another flaw is granting users access to all parts of a Web site when they have a login or password for a particular service there. For example, employees at an Estonian firm signed up for the Business Wire press release service in 2004. It figured out that URLs on the site sometimes contained information about news releases that had not yet been made public. Using a program that searches for URLs, the employees at the firm were able to uncover sensitive business and financial information. After buying and selling stock based on this information, the employees made $7.8 million, but were also hit with fraud charges by U.S. regulators.
He noted that there have likely been many similar such instances that never came to light because the perpetrators were never caught.
Web security extends beyond quality assurance and properly designing Web applications to include how the services are set up to operate, he said.