 Hackers are concentrating their efforts on web-based applications - 75% of cyber attacks are done at the web application level, a Gartner Group study has revealed. The reasons for this are clear: Web applications control valuable data and are much more difficult to secure. Firewalls and SSL provide no protection against web application hacking, simply because access to the website has to be made publicly available! Web applications are posted on the Internet and can be attacked 24/7 and often have direct access to backend data such as customer databases. Besides, web applications are often tailor-made and therefore tested less than off-the-shelf software, and are consequently more susceptible to attack.
Various high profile site attacks have amply shown that it is futile having your firewall perfectly configured and your OS and key applications at the latest patch level, if your web application can be compromised in a matter of minutes, granting hackers access to your backend data. For a more comprehensive security strategy, it is therefore essential that you regularly audit the security of your web applications.
 Web application attacks expose customers’ credit card numbers. Well-known sites that were open to web application attacks include fashion label Guess and pet supply retailer PetCo.com who were notoriously found to be vulnerable to the SQL injection vulnerability (June 2003). This resulted in PetCo leaving as many as 500,000 credit card numbers open to anyone able to construct this specially-crafted URL.
In June 2004, security analyst ZapTheDingbat pointed out that MasterCard, Natwest, Barclaycard, WorldPay, the GCHQ, and various other sites had missed some basic gaps in their security: The security flaw that these sites overlooked was that of ‘cross site scripting’, which enables hackers to send a user to the site while displaying any content and functionality of the hacker’s choice.
One hacker gained access to over five million credit card accounts in February 2003 through a web application attack. Similarly, a vulnerability at Tower Records laid bare the company’s customer orders database in December 2002.
|
