Headlines like “Web Application Vulnerabilities Continue to Skyrocket,” and “9 Ways Web Apps Woo Hackers,” are timeless. Since the first web application was able to deliver rich content to visitors, attackers have looked to exploit any holes they could to damage, deface, and defraud. As the trend to deliver applications through web browsers continues to grow, the number of vulnerabilities available to cyber criminals grows exponentially.
As most businesses rely on web sites to deliver content to their customers, interact with customers, and sell products certain technologies are often deployed to handle the different tasks of a web site. A content management system like Joomla! or Drupal may be the solution used to build a robust web site filled with product, or service, related content. Businesses often turn to blogs using applications like WordPress or forums running on phpBB that rely on user generated content from the community to give customers a voice through comments and discussions. ZenCart and Magento are often the solutions to the e-commerce needs of both small and large businesses who sell directly on the web. Add in the thousands of proprietary applications that web sites rely and the reason securing web applications should be a top priority for any web site owner, no matter how big or small.
Web applications allow visitors access to the most critical resources of a web site, the web server and the database server. Like any software, developers of web applications spend a great deal of time on features and functionality and dedicate very little time to security. Its not that developers don’t care about security, nothing could be further from the truth. The reason so little time is spent on security is often due to a lack of understanding of security on the part of the developer or a lack of time dedicated to security on the part of the project manager.
For whatever reason, applications are often riddled with vulnerabilities that are used by attackers to gain access to either the web server or the database server. From there any number of things can happen. They can:
With dotDefender web application firewall you can avoid many different threats to web applications because dotDefender inspects your HTTP traffic and checks their packets against rules such as to allow or deny protocols, ports, or IP addresses to stop web applications from being exploited.
Architected as plug & play software, dotDefender provides optimal out-of-the-box protection against DoS threats, cross-site scripting, SQL Injection attacks, path traversal and many other web attack techniques.
The reasons dotDefender offers such a comprehensive solution to your web application security needs are:
There are many different ways malicious hackers attack a web application. Simply doing a bit of research with Google can expose a number of vulnerabilities in some of the most popular web applications like WordPress, ZenCart, Joomla!, Drupal, and MediaWiki. Not only are the vulnerabilities in these applications, and many others, easy to find - but with an automated search attackers can find exactly which web sites have not fixed these vulnerabilities.
Most commonly, the following tactics are used in to attack these applications:
SQL Injection works by the attacker finding an area on a web site that allows for user input that is not filtered for escape characters. User login areas are often targeted because they have a direct link to the database since credentials are often checked against a user table of some sort. By injecting a SQL statement, like ‘ ) OR 1=1--, the attacker can access information stored in the web site’s database. Of course, the example used above represents a relatively simple SQL statement. Ones used by attackers are often much more sophisticated if they know what the tables in the database are since these complex statements can generally produce better results.
Cross Site Scripting (XSS) attacks occur when an attacker is able to inject a malicious client-side script into a vulnerable web page. When these scripts are run, they can be used to install malicious software on the visitor’s computer, steal a visitor’s cookie, or hijack a visitor’s session.
Remote Command Execution vulnerabilities allow attackers to pass arbitrary commands to other applications. In severe cases, the attacker can obtain system level privileges allowing them to attack the servers from a remote location and execute whatever commands they need for their attack to be successful.
Path Traversal vulnerabilities give the attacker access to files, directories, and commands that generally are not accessible because they reside outside the normal realm of the web document root directory. Unlike the other vulnerabilities discussed, Path Traversal exploits exist due to a security design error - not a coding error.
With so many web sites running applications, attackers have taken to creating automated tools that can launch well coordinated attacks against a number of vulnerable web sites at once. With this capability, the targets of these malicious hackers are no longer limited to large corporate web sites. Smaller web sites are just as easily caught up in the net cast by these automated attacks.
The repercussion of having your web site compromised can be devastating to any business, no matter what the industry or size of the company. The after-effects of these attacks include:
dotDefender's unique security approach eliminates the need to learn the specific threats that exist on each web application. The software that runs dotDefender focuses on analyzing the request and the impact it has on the application. Effective web application security is based on three powerful web application security engines: Pattern Recognition, Session Protection and Signature Knowledgebase.
The Pattern Recognition web application security engine employed by dotDefender effectively protects against malicious behavior such as the attacks mentioned above, and many others. The patterns are regular expression-based and designed to efficiently and accurately identify a wide array of application-level attack methods. As a result, dotDefender is characterized by an extremely low false positive rate.
What sets dotDefender apart is that it offers comprehensive protection against threats to web applications while being one of the easiest solutions to use.
In just 10 clicks, a web administrator with no security training can have dotDefender up and running. Its predefined rule set offers out-of-the box protection that can be easily managed through a browser-based interface with virtually no impact on your server or web site’s performance.