At year end, 74% of web application vulnerabilities had no available patch for remediation, according to that report. Stories about exploits that compromise sensitive data frequently mention culprits such as "cross-site scripting," "SQL injection," and "buffer overflow." Vulnerabilities like these fall often outside the traditional expertise of network security managers. The relative obscurity of web application vulnerabilities thus makes them useful for attacks. As many organizations have discovered, these attacks will evade traditional enterprise network defenses unless you take new precautions. To help you understand how to minimize these risks, Qualys provides this guide as a primer to web application security. The guide surveys typical web application vulnerabilities, compares options for detection, and introduces the QualysGuard Web Application Scanning solution – a new on demand service from Qualys that automates detection of the most prevalent vulnerabilities in custom web applications.

Primer on Web Application SecurityAttacks on vulnerabilities in web applications began appearing almost from the beginning of the World Wide Web, in the mid-1990s. Attacks are usually based on fault injection, which exploits vulnerabilities in a web application’s syntax and semantics. Using a standard browser and basic knowledge of HTTP and HTML, an attacker attempts a particular exploit by automatically varying a Uniform Resource Indicator (URI) link, which in turn could trigger an exploit such as SQL injection or cross-site scripting.

Types of Web Application VulnerabilitiesWeb applications may have any of two dozen types of vulnerabilities. Security consultants who do penetration testing may focus on finding top vulnerabilities, such as those in a list published by the Open Web Application Security Project (www.owasp.org). Other efforts to systematically organize web application vulnerabilities include six categories published by the Web Application Security Consortium (www.webappsec.org). The following descriptions of web vulnerabilities are modeled on the WASC schema.

1. Brute Force attack automates a process of trial and error to guess a person’s username, password, credit-card number or cryptographic key.

2. Insufficient Authentication permits an attacker to access sensitive content or functionality without proper authentication.

3. Weak Password Recovery Validation permits an attacker to illegally obtain, change or recover another user’s password.

1. Credential / Session Prediction is a method of hijacking or impersonating a user.

2. Insufficient Authorization permits access to sensitive content or functionality that should require more access control restrictions.

3. Insufficient Session Expiration permits an attacker to reuse old session credentials or session IDs for authorization.

4. Session Fixation attacks force a user’s session ID to an explicit value.

1. Content Spoofing tricks a user into believing that certain content appearing on a web site is legitimate and not from an external source.

2. Cross-site Scripting (XSS) forces a web site to echo attacker-supplied executable code, which loads into a user’s browser.

1. Buffer Overflow attacks alter the flow of an application by overwriting parts of memory.

2. Format String Attack alters the flow of an application by using string formatting library features to access other memory space.

3. LDAP Injection attacks exploit web sites by constructing LDAP statements from user-supplied input.

4. OS Commanding executes operating system commands on a web site by manipulating application input.

5. SQL Injection constructs illegal SQL statements on a web site application from user-supplied input.

6. SSI Injection (also called Server-side Include) sends code into a web application, which is later executed locally by the web server.

7. XPath Injection constructs XPath queries from user-supplied input.

1. Directory Indexing is an automatic directory listing / indexing web server function that shows all files in a requested directory if the normal base file is not present.

2. Information Leakage occurs when a web site reveals sensitive data such as developer comments or error messages, which may aid an attacker in exploiting the system.

3. Path Traversal forces access to files, directories and commands that potentially reside outside the web document root directory.

4. Predictable Resource Location uncovers hidden web site content and functionality.

1. Abuse of Functionality uses a web site’s own features and functionality to consume, defraud or circumvent access control mechanisms.

2. Denial of Service (DoS) attacks prevent a web site from serving normal user activity.

3. Insufficient Anti-automation is when a web site permits an attacker to automate a process that should only be performed manually.

4. Insufficient Process Validation permits an attacker to bypass or circumvent the intended flow of an application.

^{There is no "silver bullet" to detecting web application vulnerabilities. The strategy for their detection is identical to the multi-layer approach used for security on a network. Detection and remediation of some vulnerabilities requires source code analysis, particularly for complex enterprise-scale web applications. Detection of other vulnerabilities may also require on-site penetration testing. As mentioned earlier, the most prevalent web application vulnerabilities can also be detected with an automated scanner.}

1. Lowers total cost of operations by automating repeatable testing processes

2. Identifies vulnerabilities of syntax and semantics in custom web applications

3. Performs authenticated crawling

4. Profiles the target application

5. Ensures accuracy by effective reduction of false positives and false negatives

WAS automates repeatable techniques used to identify the most prevalent web vulnerabilities, such as SQL injection and cross-site scripting. It combines pattern recognition and observed behaviors to accurately identify and verify vulnerabilities. The WAS service identifies and profiles login forms, session state, error pages, and other customized features of the target application – even if it extends across multiple web sites. This site profile data helps WAS to adapt to changes as the web application matures. Adaptability enables the scanner to be used against unknown or legacy web applications that may carry little information about error pages or other behavior. As a result, WAS delivers highly accurate detection and reduces false positives. The automated nature of Web Application Scanning enables regular testing that produces consistent results and easily scales for large numbers of web sites.

Current Features. The table describes comprehensive capabilities in QualysGuard WAS to assess and track web application vulnerabilities. Qualys plans to add other features during Q2/Q3 2009.

Operations. QG WAS is delivered as an on demand service fully integrated with the QualysGuard solutions already in use by thousands of customers for vulnerability management and policy compliance. Users can manage web applications, launch scans, and generate reports with the familiar interface of the QualysGuard web interface. WAS scans may be pre-scheduled or executed on demand. The WAS service can be scaled to the largest web applications hosted anywhere in the world. Account rights management allows an organization to centrally control which web applications may be scanned by individual users.

Protect Your Web Applications: The QualysGuard Web Application Scanning service will help your organization immediately begin identifying the most prevalent security vulnerabilities open to criminal exploit. The scanner will be a powerful supplement to existing security efforts such as source code analysis and penetration testing. The latter controls are necessary, but QualysGuard WAS will automate detection testing for the majority of threats – the kinds you read about when data thieves breach confidential information via web applications. In addition to comprehensive testing and accurate detection, QualysGuard WAS is cost effective. Just like QualysGuard, WAS is an easy-to-use on demand service allowing administrators to execute scans without any special knowledge of web application security.