Web applications that we use every day are riddled with vulnerabilities, according to numerous surveys. Statistics also show that, increasingly, those vulnerabilities are being found by criminal geeks-for-hire who turn a profit by turning good Web pages into bad Web pages that turn visiting computers into ‘bots.’ There are literally millions of bots being controlled by criminal programs that tell them to send and relay spam and identity theft information. The problem with Web apps, as I’ve written in several stories for my business trade journals, is one that can’t be solved easily for several reasons. Besides their very public nature, Web apps are interactive. So their data input fields can be confused into revealing information that attack programs use to gain control of the Web pages. And in social networks including MySpace, Wikipedia and multiple other social and gaming networks, interactive content containing malicious code has been frequently uploaded to member pages and spread around as members click them. This is compounded by lack of vulnerability notification. Being made up of thousands of programs and subprograms in all forms of frameworks and languages, there is no “keeper of the code” for much of these programs. Unlike those who get automatic updates from Microsoft, owners of Web apps are not getting alerts to new vulnerabilities from their makers – and last year there were thousands of said vulnerabilities in the two most pervasive Web application frameworks in use. So it was good to see that Web application security was the dominant topic at BlackHat in Vegas this week. Talks included ways to compromise and use Web applications, including Intranet sites, to break the browser and do bad things to visiting computers. Their point was not to be bad guys, but to urge experts to make better, more secure Web applications and improve security on the browsers.
“Banks, AOL’s, Yahoo’s, eBay’s ... of a thousand Websites we tested, all were vulnerable to cross-site-scripting attack,” said Robert Hansen, CEO of SecTheory (a Web app security company), and co-founder of the Web Application Security Forum during his talk Wednesday on hacking Intranet applications with Jeremiah Grossman, CTO of WhiteHat Security, a Web application testing provider.
Attendees seem to get the need for better Web application development, security and management based on the hundred-plus of them crammed into the Shadow Bar Wednesday night at Caesar’s Palace for the hosted party by Breach Security that brought together for the first time the Open Web Application Security Project and the Web Application Security Consortium. Folks like Adam Munther, chapter leader for the Pheonix chapter of OWASP, who’s in the business of Web application security assessment, testing and training.
“I am very pleased about the about the growing awareness surrounding web application security threats,” Munther wrote in a recent blog. “Several organizations have been formed to promote the issue, such as OWASP and the Web Application Security Consortium, and for good reason: it is currently the most prolific attack vector. In fact, Gartner estimates that 75% of all attacks now come at the (web) application layer.”
With so much work going on in the area of Web application testing, firewalling, monitoring and secure coding practices as represented at Blackhat, it’s hopeful that in a couple years the good guys will get the upper hand.