Vulnerabilities in web applications are now the largest source of enterprise security attacks. Web application vulnerabilities accounted for over 55% of all vulnerabilities disclosed in 2010, according to an IBM X-Force study.
That may be the tip of the iceberg as the study includes only commercial web applications.1 Stories about compromised sensitive data frequently mention culprits such as “cross-site scripting,” “SQL injection,” and “buffer overflow.” Vulnerabilities like these often fall outside the traditional expertise of network security managers.
The relative obscurity of web application vulnerabilities thus makes them useful for attacks. As many organizations have discovered, these attacks will evade traditional enterprise network defenses unless you take new precautions.
To help you understand how to minimize these risks, Qualys provides this guide as a primer to web application security. The guide surveys typical web application vulnerabilities, compares options for detection, and introduces the QualysGuard Web Application Scanning solution – an on demand service from Qualys that automates detection of the most prevalent vulnerabilities in custom web applications.
Overview of Web Application Security
Attacks on vulnerabilities in web applications began appearing almost from the beginning of the World Wide Web, in the mid-1990s. Attacks are usually based on fault injection, which exploits vulnerabilities in a web application’s syntax and semantics.
Using a standard browser and basic knowledge of HTTP and HTML, an attacker attempts a particular exploit by automatically varying a Uniform Resource Indicator (URI) link, which in turn could trigger an exploit such as SQL injection or cross-site scripting.
A significant number of attacks exploit vulnerabilities in syntax and semantics. You can discover many of these vulnerabilities with an automated scanning tool. Logical vulnerabilities are very difficult to test with a scanning tool; these require manual inspection of web application source code analysis and security testing.
Web application security vulnerabilities can stem from misconfigurations, bad architecture, or poor programming practices within commercial or custom application code.
Vulnerabilities may be in code libraries and design patterns of popular programming languages such as Java, .NET, PHP, Python, Perl, and Ruby. These vulnerabilities can be complex and may occur under many different circumstances.
Using a web application firewall might control effects of some exploits but will not resolve the underlying vulnerabilities.
Other Complimentary White Papers Available from Qualys: