Web Application Security Testing

In the first week of June 2013, zone-h.org listed nearly 33,000 website break-ins and defacements

Web applications, such as those for eCommerce, customer service and online communities, are among the most vulnerable websites on the Internet.

Victims of attack suffer:

In 2008 an automated SQL Injection worm penetrated over
10,000 websites, including FTSE 100 companies and the UK Civil Service
  • having their website defaced (cyber-vandalism)
  • the theft of their intellectual property
  • the theft of their business and customer data
  • the theft of their customer's personal data
  • having malware and pirated/illegal materials distributed from their server
  • inadvertently distributing virus or botnet control software to their visitors

The results of a break-in are invariably embarrassing for the company targeted, and the cleanup costs range from "expensive and inconvenient" to the sort of massive damage to reputation and business that can put the future of an organisation at risk.

A client, Steve, runs a web hosting company. He was recently called by the UK Ministry of Defence. It turned out that some months back someone had broken into one of Steve's client's web applications and had quietly installed some sort of "attack code" onto the server. The client didn't even know he'd been hacked, but for several weeks his server was being used to attack computers all over the Internet. When it was used to attack servers in the Brazilian Defence System, they traced where the attack was coming from and called their counterparts in the UK MoD. Steve closed the client's web application down, but still had some explaining to do.

No matter how good programmers are, bugs creep in to all pieces of software. For web applications, there are also the "abusable features" which are correctly coded, but offer non-obvious attack methods to those who understand how to exploit them. Many such problems can easily result in penetration of the application and the entire database and server infrastructure behind it.

IT Security Consultant Derek Fountain provides vulnerability assessment consultancy and testing for organisations wanting to mitigate the risks of putting applications online.