Discover LinuxSecurity Features
Vulnerabilities in Web Applications
The Internet has become part and parcel of the corporate agenda. But does the risk of exposing information assets get sufficient management attention? Extension of corporate portals for Business-to Business (B2B) or developments of websites for Business-to-Customer (B2C) transactions have been largely successful. But the task of risk assessing vulnerabilities and the threats to corporate information assets is still avoided by many organisations. The desire to stay ahead of the competition while minimising cost by leveraging technology means the process is driven by pressure to achieve results. What suffers in the end is the application development cycle; - this is achieved without security in mind. Section 1 of this paper introduces the world of e-business and sets the stage for further discussions. Section 2 looks at common vulnerabilities inherent in web application development. Section 3 considers countermeasures and strategies that will minimise, if not eradicate. some of the vulnerabilities. Sections 4 and 5 draw conclusions and look at current trends and future expectations.
The TCP/IP protocol stack, the underlying technology is known for lack of security on many of its layers. Most applications written for use on the Internet use the application layer, traditionally using HTTP on port 80 on most web servers. The HTTP protocol is stateless and does not provide freshness mechanisms for a session between a client and server; hence, many hackers take advantage of these inherent weaknesses. TCP/IP may be reliable in providing delivery of Internet packets, but it does not provide any guarantee of confidentiality, integrity and little identification. As emphasised in , Internet packets may traverse several hosts between source and destination addresses. During its journey it can be intercepted by third parties, who may copy, alter or substitute them before final delivery. Failure to detect and prevent attacks in web applications is potentially catastrophic. Attacks are loosely grouped into two types, passive and active. Passive attackers  engage in eavesdropping on, or monitoring of, transmissions. Active attacks involve some modification of the data stream or creation of false data streams .