|
We interviewed Aditya K. Sood, Senior Security Practitioner at Armorize Technologies on the various challenges and threats surrounding web applications and browser technology.
Web applications have really taken off over the past few years. What sets apart the early vulnerabilities with what we are seeing now? Has there been a technological leap in the part of the attackers?
Aditya “Basics are the hardest part to conquer”. The vulnerability classification remains same for most of the web attacks but the modus operandi varies. With the advent of new technologies, new attack vector exists. An attacker always tries to find a new way to penetrate deep into web applications when one door is closed. It can be considered as a chain reaction of attack and defense. More sophisticated solutions lead to more sophisticated attacks. Yes, absolutely attackers have developed untamed attack vectors of exploiting the online trust of users by hacking web applications.
Is there a common denominator about the vulnerabilities that we are seeing today? Apart of course, from the browsers
Aditya Browsers provide explicit window to the online world. It’s an interface to the online democracy of web applications. It is one of the most frivolous attack vectors which is exploited by attackers to gain control of the system from the web. Well, it is not the denominator of web vulnerabilities but can be considered as a catalyst that supports exploitation. The generic denominators include insecure coding, inappropriate servers configurations and patch management, invalidated third party content inclusion... etc. Most of the web vulnerabilities fall into these categories because a web application is characterized under DDI (Development, Deployment and Inclusion).
Has browser technology reached a point where we are opening up a whole new can of worms rather than addressing the vulnerabilities? It's fair to assume that with more codes comes more potential vulnerabilities.
Aditya Well, the world has already noticed a lot of protection mechanisms in the browsers to automatically combat a number of vulnerabilities in the wild. Browsers have shown great improvements and improvisation in the security mechanisms. On the other side, we still notice a lot of vulnerabilities in the browsers. Well, that’s part and parcel of security game. With protection features like SOP (Same Origin Policy), declarative security, anti-phishing solutions, in-built filters, improvements in DOM execution and URL interpretation etc., things have been optimized to some extent. Well, it is true, more complex codes mean they are more vulnerable to fallacies. Exploiting vulnerabilities in browsers is still the more preferential choice of attackers to inject malware into system which combines with user knowledge too. There is no patch for ignorance and that’s what attackers exploit the most. It can be likened to a war of protection and exploitation.
Websites are heavily promoting web apps. But are we putting enough effort to keep up with the many different kinds of apps coming out each day?
Aditya In the present world, security of web applications is a characteristic of robust business. The world has changed in such a short time that everything has been shifted to World Wide Web. No doubt we have seen a revolution but there is also a dark side which cannot be ignored. To some extent we are laying stress on improving the security of web applications through regular assessments and penetration tests. But the ugly truth is that the potential reports are used only for compliance purposes and hardly a significant percentage of active providers patch those issues, otherwise it still remains prevalent. The choice again comes to human intelligence in deploying the reported parameters in a real time environment. I think security companies are dedicated to provide efficient security services and we have taken steps where security of web applications is a prime concern. Of course, business matters at the end, but why not secure business?
What steps can an ordinary, less tech-savvy consumer take to minimize the threat posed by vulnerabilities in the apps?
Aditya My advice to normal and less tech-savvy consumers is to follow the most basic principles of security. Always try to choose the best development vendor without worrying about the initial cost to avoid major business havoc later on. Regular assessments of web applications are a must. I sincerely believe a good web application development practice and appropriate configurations of web servers can combat these web vulnerabilities to great extent. Avoid complexity in every sphere of applied security in business. Training of employees is a good pro active step.
What steps should an organization take to mitigate loses or minimize these threats altogether? Are they even being serious about eliminating these threats?
Aditya As I mentioned earlier, most of the attacks can be stopped by normal and generic principles of security. Independent consortiums of security have provided a lot of benchmarks which should be followed. An organization’s biggest asset is its employee. During past years, I have seen that the employees dealing in an organization’s security are not well versed about the latest happenings in security because most work in organizations where it is process specific, which takes too long to get something out of it. That’s the reason why training comprising of security of websites, network infrastructure and physical layout should have the utmost priority towards a more secure sphere.
Let's get back to browsers. Have you tested Firefox 4 beta 1 which was just released? Any significant improvements at this stage of beta? Are the newer browsers playing catch-up or do they get brownie points for being ahead of the class?
Aditya From my past testing experience, the applied memory model in Mozilla browser has shown a lot of stringency which results in memory leaking and exhaustion to a great extent there by resulting in severe denial of service which impacts the system state. In certain cases, it can lead to memory corruption. I just had a look at the new version of the Mozilla browser for 5 minutes and I found it to be susceptible to severe denial of service when a loop of iterated objects is allowed to render. It does not introduce script execution check and CPU power is consumed at a high rate. This code is a modified part of previous issues reported in Mozilla Firefox 3.0.5. So, I think readers are smart enough to determine from the above case about the latest structure of Firefox.
You will be speaking at Hacker Halted this October. What will you be talking about?
Aditya Yes. My prime aim is to discuss about the techniques of pen testing web applications, which I have discovered during my professional experience and conducting vulnerability research. I will demonstrate some attacks in a real time environment to raise awareness among people about the ongoing happenings in the online world and the way attackers exploit the technology. The aim is to share research for the betterment of community. The audience will enjoy and become ready enough to use those techniques in their work sector.
|