Wednesday, May 14, 2008

What is Application Level Web Security

What is application Level Web Security?

Let us take an e-commerce web site. ( examples of ecommerce sites are amazon.com,dell.com,ebay.com).

The web site is made up of three things:

1. Database(such as oracle,sqlserver,mysql)

2.Webserver(such as IIS,,Apache)

3. Application programs (such as jsp,php,asp,asp.net)

Even if the Database and Webserver are 100% secure, hackers can exploit the vulnarabilities in the application-level and they can get the confidential information such as credit card numbers and customer addresses. They can make the site to ship the goods without paying any charge.
In this article, we are going to see what are the different types of vulnerablities possible in application-level and how to plug these holes.

FORM MODIFICATION ATTACK:

Some hackers will simply copy the order form(which is a html form), make some modify the price which is stored in a hidden text field and submit the form to the site.

A journlist purchased an internet domain name "ivehadyou.org.uk",and tickets for a Jimmy Nail pop concert just for 10 pence each. More than 30% of e-commerce sites are vulnerable to this simple attack.

SQL ATTACK:

Suppose 2000 employees are working in your office and the STAFF database contains the information such as

NAME,ADDRESS,EMAILID,DATE OF BIRTH,PASSWORD,SALARY.

Consider this scenario. As an application programmer, you are writing a Search Form. For example, if any user types the word "peter", he will get the address and email id of Mr.peter.

The data is fetched from the database by using a query like this :

:select name,address,emailid from staff where name='peter'

But, if the hacker, instead of typing "peter", if he types like this :

"

'; select name,password,salary from staff where name='peter

"

Then the resultant query will be constructed like this :

"

select name,address,emailid from staff where name=``;select password,salary from staff where name=`peter`;

"

CROSS SITE SCRIPT ATTACK:

 

Using this attack, the hacker can get the confidential information such as password,credit card numbers.

They can make the genuine users to post the data to the hacker's site. The hacker will embed malicious html code ( or javascript) in the url,form or cookies and the users will think that the information or form is coming from the genuine site.

Recommened further study: Abstracting Application-Level Web Security
by David Scott1 Richard Sharp2

 

No comments:

 
Disclaimer and Copyright