Why Attack Web Applications?

Previous page
Table of content
Next page

The motivations for hacking are numerous and have been discussed at length for many years in a variety of forums. We're not going to rehash many of those conversations, but we do think it's important to point out some of the features of web applications that make them so attractive to attackers . Understanding these factors leads to a much clearer perspective on what defenses need to be put in place to mitigate risk.

  • Ubiquity   Web applications are almost everywhere today, and continue to spread rapidly across public and private networks. Web hackers are unlikely to encounter a shortage of juicy targets anytime soon.

  • Simple Techniques   Web app attack techniques are fairly easily understood , even by the lay person, since they are mostly text-based. This makes it fairly trivial to manipulate application input. Compared to the knowledge required to attack more complex applications or operating systems (for example, crafting buffer overflows), attacking web apps is a piece of cake.

  • Anonymity   The Internet still has many unaccountable regions today, and it is fairly easy to launch attacks with little fear of being traced. Web hacking in particular is easily laundered through (often unwittingly) open HTTP/S proxies that remain plentiful on the 'Net as we write this. Sophisticated hackers will even route each request through a different proxy to make things even harder to trace. Arguably, this remains the primary reason for the proliferation of malicious hacking, since this anonymity strips away one of the primary deterrents for such behavior in the physical world (i.e., being caught and punished).

  • Bypasses Firewalls   Inbound HTTP/S is permitted by most typical firewall policies (to be clear, this is not a vulnerability of the firewallit is an administrator-configured policy). Even better (for attackers, that is), this configuration is probably going to increase in frequency as more and more applications migrate to HTTP. You can already see this happening with the growing popularity of sharing family photos via the web, personal blogs , one-click "share this folder to the web" features on PCs, and so on.

  • Custom Code   With the proliferation of easily accessible web development platforms like ASP.NET and LAMP (Linux/Apache/MySQL/PHP), most web applications are assembled by developers who have little prior experience (because, once again, web technology is so simple to understand, the "barriers to entry" are quite low).

  • Immature Security   HTTP doesn't even implement sessions to separate unique users. The basic authentication and authorization plumbing for HTTP was bolted on years after the technology became popular, and is still evolving to this day. Many developers code their own, and get it wrong (although this is changing with the increasing deployment of common off-the-shelf web development platforms that incorporate vetted authorization/session management).

  • Constant Change   There are usually a lot of people constantly "touching" a web application: developers, system administrators, and content managers of all stripes (we've seen many firms where the marketing team has direct access to the production web farm!). Very few of these folks have adequate security training and yet are empowered to make changes to a complex, Internet- facing web application on a constant (we've seen hourly!) basis. At this level of dynamism , it's hard to adhere to simple change management process, let alone ensure that security policy is enforced consistently.

  • Money   Despite the hiccups of the dot com era, it's clear that e-commerce over HTTP will support many lucrative businesses for the foreseeable future. Not surprisingly, recent statistics indicate that the motivation for web hacking has moved from fame to fortune , paralleling the maturation of the Web itself. Increasingly, authorities are uncovering organized criminal enterprises built upon for-profit web app hacking. Whether through direct break-ins to web servers, fraud directed against web end-users (a.k.a. phishing), or extortion using denial of service, the unfortunate situation today is that web crime pays.


Previous page
Table of content
Next page
Hacking Exposed Web Applications
HACKING EXPOSED WEB APPLICATIONS, 3rd Edition
ISBN: 0071740643
EAN: 2147483647
Year: 2006
Pages: 127
Authors: Joel Scambray, Vincent Liu, Caleb Sima
BUY ON AMAZON
Introduction to 80x86 Assembly Language and Computer Architecture
MySQL Cookbook
Service-Oriented Architecture (SOA): Concepts, Technology, and Design
InDesign Type: Professional Typography with Adobe InDesign CS2
AutoCAD 2005 and AutoCAD LT 2005. No Experience Required
.NET-A Complete Development Cycle
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy