The Importance of Web Application Scanning

Introduction to The Importance of Web Application Scanning

Web servers are vulnerable because hackers have all the time in the world to try their nefarious techniques to gain unauthorized entry.  The best solution to prevent your website being attacked is Web Application Scanning.

Topics The Importance of Web Application Scanning

  ‡

The Importance of Web Application Scanning

Extract form White paper

Web applications are proving to be the weakest link in overall corporate security.  Organizations need a Web application scanning solution that can scan for security loopholes in Web-based applications to prevent would-be hackers from gaining unauthorized access to corporate applications and data. 

High-Profile Web Application Hack

Hackers are exploiting security loopholes in Web applications.  According to a survey by the Gartner Group, 75% of all Internet assaults are targeted at Web applications.

A famous Web application attack was carried out by a 17 year-old Norwegian boy. While making online transactions with his bank, he noticed that the URLs of the pages displayed his account number as one of the parameters. He then substituted  random account numbers.  Soon he was able to access other customers’ accounts.  He was in a position to transfer funds from these hacked accounts to his own account.

The Solution: A Web Application Scanner

Clearly, Web applications are the biggest Achilles’ heel in an organization’s security strategy. They are much more difficult to protect than traditional applications that reside behind a firewall.  Web application security needs to be stringently checked using an automated Web application security scanner.

A Web application scanner is an automated security program that searches for software vulnerabilities within Web applications. A Web application scanner first crawls the entire website, analyzing in-depth each file it finds, and displaying the entire website structure. After this discovery stage, it performs an automatic audit for common security vulnerabilities by launching a series of Web attacks. Web application scanners check for vulnerabilities on the Web server, proxy server, Web application server and even on other Web services.

What a Web Applications Scanners should do for You.

  1. Analyze different Web technologies, such as PHP, ASP.NET, ASP, etc.
  2. Produce readable and actionable results.
  3. Scale, the scan must be fast enough to process large websites.

See more here: Acunetix Web Attacks Info page

Guy Recommends:  A Free Trial of the Network Performance Monitor (NPM)Review of Orion NPM v12 v12

SolarWinds’ Network Performance Monitor will help you discover what’s happening on your network.  This utility will also guide you through troubleshooting; the dashboard will indicate whether the root cause is a broken link, faulty equipment or resource overload.

Perhaps the NPM’s best feature is the way it suggests solutions to network problems.  Its second best feature is the ability to monitor the health of individual VMware virtual machines.  If you are interested in troubleshooting, and creating network maps, then I recommend that you give this Network Performance Monitor a try.

Download your free trial of SolarWinds Network Performance Monitor.

Technical Details of Web Site Attacks.

SQL injection:
The hacker transmits SQL query commands to the database residing on your server via the Web application. What the hackers do is enter SQL commands in form fields on the webpage. Thus, the hacker is able to run SQL queries and commands on your web server.

Directory Traversal Attacks.
This attack is also called the ../ (dot dot slash) attack. Hackers manipulate Web application to access to files that are normally. The attack works by changing the parameter that an application would use to access a certain file. For instance, suppose the value of the parameter includes the path of a particular file. Placing ../ at the beginning of the parameter value forces the application to access the file in the parent directory.

Parameter Manipulation.
This involves manipulating data transmitted between the browser and Web application.  Specific example: Cookie manipulation: Cookies maintain a certain state in HTTP by storing user preferences and information related to session maintenance. All cookies can be changed at the client end and then sent to the server with URL requests. Thus, a hacker can easily manipulate the data residing within a cookie.

Acunetix Web Vulnerability Scanner

Provides protection from the following attacks:

  • CRLF injection attacks
  • Code execution attacks
  • Directory traversal attacks
  • File inclusion attacks
  • Input validation attacks
  • Authentication attacks
  • Creates professional security audit reports

Resources for More Information

For more information on Web application security and related documentation, visit: Acunetix Web Attacks Info page

Summary Securing Web Applications Is Imperative

Attacks on Web applications are increasing. As per a report from the Computer Emergency Response Team (CERT), the number of successful Web application attacks is on the rise, from around 60% in 2002 to 80% in 2003. If Web application infringements continue to grow at this rate, customers’ confidence in online commerce will further diminish. As observed by Gartner, rampant attacks on Web applications make customers wary of making online purchases for fear of credit card tampering and leakage of credit information.

The only way to combat the Web application security threat is to proactively scan websites and Web applications for vulnerabilities and then fix them. Implementing a Web application scanning solution must be a crucial part of any organization’s overall strategy.

If you like this page then please share it with your friends

 


More Windows Server 2003 topics:

• Windows Server 2003 Roles   • IIS v 6.0 Explained   • Upgrade from NT 4.0 •   Install Server 2003

• Active Directory – Intro   • Active Directory – DNS   • Group Policy in Windows 2003   • FSMO Roles

• Windows Secondary Logon Service   • Windows Server 2003 OU   • .NET Explained   • Computer Jokes