This entry is part of the series Ten things you can do to improve IT security and reliability without spending money
Both the SANS Institute report I mentioned in a previous blog entry and IBM’s X-Force 2009 Trend and Risk Report documented significant growth in website vulnerabilities, particularly across three attack categories: Cross-Site Scripting, SQL Injection, and File Include vulnerabilities. The IBM X-Force report provides these succinct descriptions.
|
Attack Technique
|
Description |
| Cross-Site Scripting |
Cross-Site Scripting vulnerabilities occur when Web applications do not properly validate user input from form fields, the syntax of URLs, etc. These vulnerabilities allow attackers to embed their own script into a page the user is visiting, manipulating the behavior or appearance of the page. These page changes can be used to steal sensitive information, manipulate the Web application in a malicious way, or embed more content on the page that exploits other vulnerabilities.
The attacker first has to create a specially-crafted Web link and then entice the victim into clicking it (through spam, user forums, etc.) The user is more likely to be tricked clicking the link because the domain name of the URL is a trusted or familiar company. The attack attempt may appear to the user to come from the trusted organization itself and not the attacker that compromised the organization’s vulnerability. |
| SQL Injection |
SQL Injection vulnerabilities are also related to improper validation of user input, and they occur when this input (from a form field, for example) is allowed to dynamically include SQL statements that are then executed by a database. Access to a back-end database may allow attackers to read, delete, and modify sensitive information and, in some cases, execute arbitrary code.
In addition to exposing confidential customer information (like credit card data), SQL Injection vulnerabilities can also allow attackers to embed other attacks inside the database that can then be used against visitors to the Web site. |
| File Include |
File Include vulnerabilities (typically found in PHP applications) occur when the application retrieves code from a remote source to be executed in the local application. Oftentimes, the remote source is not validated for authenticity, which allows an attacker to use the Web application to remotely execute malicious code. |
| Other |
This category includes some denial-of-service attacks and miscellaneous techniques that allow attackers to view or obtain unauthorized information and/or change files, directories, user information or other components of Web applications. |
What You Should Do
First, you should make sure that any people you have developing or maintaining your websites are familiar with these types of vulnerabilities and that they are using current methods to protect against them.
Second, you should check with whoever is responsible for hosting your websites to see if they offer any kind of web vulnerability scanning as part of their hosting service. (In some cases, hosting companies may charge extra for this; in other cases it’s included as part of the fee you already pay.)
And third, you should use web vulnerability scanning software. Some vendors may offer to perform the web scans for free, as a means of getting in the door to talk to you about purchasing other services. (Full disclosure: Pragmatix has been known to do this also.)
There are several free tools available on the internet. My network engineering team has identified two that are definitely worth looking into. One product is named Rapid7 (see http://www.rapid7.com/vulnerability-scanner.jsp ). While there is a cost to purchase a full copy of their software, they do offer a very useful free version. Another product is named Gamja (see http://sourceforge.net/projects/gamja/).