Who, When, And Where?

Previous page
Table of content
Next page

We're aching to get to "how," but to complete our theme, let's devote a couple of sentences on the "who, when, and where" of web app attacks.

As with "why," defining who attacks web applications is like trying to hit a moving target. Bored teenagers out of school for the summer probably contributed heavily to the initial popularity of web hacking, waging turf wars through web site defacement. As we noted earlier, web hacking is now a serious business: organized criminals are getting into web hacking big time, and making a profit.

Answering "when" and "where" web applications are attacked is initially simple: 24—7, everywhere (even internal networks!). Much of the allure of web apps is their "always open to the public" nature, so this obviously exposes them to more or less constant risk. More interestingly, we could talk about "where" in terms of "at what places" are web applications attacked . In other words, where are common web app security weak spots?

Weak Spots

If you guessed "all over," then you are familiar with the concept of the trick question, and you are also correct. Here is a quick overview of the types of attacks that are typically made against each component of web apps that we've discussed so far.

  • Web Platform   Web platform software vulnerabilities. This includes underlying infrastructure like the HTTP server software (for example, IIS or Apache), and the development framework used for the application (for example, ASP.NET or PHP). See Chapter 3.

  • Web Application   Attacks against authentication, authorization, site structure, input validation, application logic, and management interfaces. Covered primarily in Chapters 4 through 9, 12, and 13.

  • Database   Running privileged commands via database queries, query manipulation to return excessive datasets. The most devastating attack here is SQL injection, which will be tackled in Chapter 7.

  • Web Client   Active content execution, client software vulnerability exploitation, cross-site scripting errors, and fraud like phishing. Web client hacking is discussed in Chapter 10.

  • Transport   Eavesdropping on client-server communications, SSL redirection. We don't cover this specifically in this book since it is a generic communications-layer attack and there are several extensive write-ups available on the Web.

  • Availability   Often overlooked in the haste to address more sensational "hacking" attacks, denial of service (DoS) is one of the greatest threats any publicly accessible web application will face. Making any resource available to the public presents challenges, and this is even more true in the online world, where distributed bot armies can be marshaled by anonymous attackers to unleash unprecedented storms of requests against any Internet target. Chapter 12 focuses on DoS attacks and countermeasures.

Although there are not reliable statistics available about what components of web applications are attacked the most frequently, there are several informal surveys. One of the more popular is the Open Web Application Security Project (OWASP) Top 10, which lists the top ten most serious web application vulnerabilities based on a "broad consensus" within the security community.


Previous page
Table of content
Next page
Hacking Exposed Web Applications
HACKING EXPOSED WEB APPLICATIONS, 3rd Edition
ISBN: 0071740643
EAN: 2147483647
Year: 2006
Pages: 127
Authors: Joel Scambray, Vincent Liu, Caleb Sima
BUY ON AMAZON
Beginners Guide to DarkBASIC Game Programming (Premier Press Game Development)
Agile Project Management: Creating Innovative Products (2nd Edition)
Microsoft Windows Server 2003(c) TCP/IP Protocols and Services (c) Technical Reference
Quantitative Methods in Project Management
Programming .Net Windows Applications
Microsoft Visual Basic .NET Programmers Cookbook (Pro-Developer)
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy