Like this CertiGuide? Get it in PDF format!
Click Here!
Use coupon code "certiguide" to save 20%!
(Expires 2004/12/31)

Also available: 300-question Security+ practice test!
Get It Here!

Custom Search







Table Of Contents  CertiGuide to Security+
 9  Chapter 1:  General Security Concepts (Domain 1.0; 30%)
      9  1.4  Attacks
           9  1.4.12  Software Exploitation

Previous Topic/Section
Buffer Overflows
Previous Page
Pages in Current Topic/Section
1
Next Page
1.5  Malicious Code
Next Topic/Section

Naïve Web Applications

Another class of software exploits you’re likely to run into if you administer a web server involve poorly programmed web applications that don’t sufficiently check the validity of the data provided to the application by the web user, before using that data in the program. You’ve probably seen your share of web applications before. The way most web applications work is that a user fills in some data on a web form (such as name and address for a mailing list) and clicks “submit”, or clicks on an “order” button next to an item on an e-commerce site … then the data is transmitted to the web server and the application picks up the data and uses it.

Just as programmers sometimes don’t anticipate the sheer magnitude of data a user would throw at a program (in a buffer overflow exploit), they sometimes don’t anticipate the creative types of data a user might type in to a web form field which asks for the user’s name. Depending on how thoroughly the application checks for invalid data, an attacker might be able to send data containing characters like a single quote mark, semi-colon, dashes, back quotes, percent signs or other characters or words which have special meaning to the web server, application running on the web server, or database and cause it to behave in unanticipated ways that allow the attacker to cause damage. In a particular exploit known as SQL injection, a user embeds database commands into data submitted to a web form.

A complete explanation of this is far beyond the scope of this book, but the exploitation of software vulnerabilities in web applications is becoming more and more common, and those who follow the field of computer security are citing it as an area of concern. For example, the most recent OpenHack challenge, OpenHack 496, in which systems are made available over the Internet and users are invited to challenge their security, focuses on application security and involves both Microsoft and Oracle applications.

Attacking Legitimate Programs

Software exploitation includes taking advantage of legitimate programs for malicious purposes, using techniques like:

· Buffer overflows, which allow an attacker to overflow a program with data, causing it to crash or execute malicious code provided in the data by the attacker.

· SQL injection, which enables the attacker to submit their own database commands to the system, possibly deleting, changing or displaying data they’re not authorized to access, like credit card numbers and customer lists.


The important thing to remember about software exploits is that you can help protect your systems against them by keeping the software you run up to date, and by educating programmers in your organization on how to write secure code. Two excellent references on this subject are: Writing Secure Code97 by Michael Howard and David LeBlanc, the Open Web Application Security Project Guide98, and Designing Secure Web-Based Applications for Microsoft Windows 200099 by Michael Howard et. al.

If you’re writing web applications, or know someone in your company who does, we can’t say it strongly enough -- THEY NEED THIS INFO. If they don’t think they need it, then, seriously, they REALLY need it, because it’s likely they’ve made a false assumption or two about what safe web application coding looks like.

A Developer Reality Check

How much do your organization’s programmers, particularly those writing applications that are accessible by users on the Internet, know about writing secure code? As a simple yardstick, ask them if they know what buffer overflows and SQL injection attacks are, and how to prevent them.



 __________________

96. http://www.openhack.com

97. Howard, Michael and David LeBlanc, Writing Secure Code, Microsoft Press, November, 2001, http://www.nerdbooks.com/item.html?id=0735615888

98. http://www.owasp.org

99. Howard, Michael, Marc Levy, Richard Waymire and Doug Bayer, Designing Secure Web-Based Applications for Microsoft Windows 2000, Microsoft Press, July, 2000, http://www.nerdbooks.com/item.html?id=0735609950

Previous Topic/Section
Buffer Overflows
Previous Page
Pages in Current Topic/Section
1
Next Page
1.5  Malicious Code
Next Topic/Section

If you find CertiGuide.com useful, please consider making a small Paypal donation to help the site, using one of the buttons below. You can also donate a custom amount using the far right button (not less than $1 please, or PayPal gets most/all of your money!) In lieu of a larger donation, you may wish to consider buying an inexpensive PDF equivalent of the CertiGuide to Security+ from StudyExam4Less.com. (Use coupon code "certiguide" by December 31, 2004 to save 20%!) Thanks for your support!
Donate $2
Donate $5
Donate $10
Donate $20
Donate $30
Donate: $



Home - Table Of Contents - Contact Us

CertiGuide for Security+ (http://www.CertiGuide.com/secplus/) on CertiGuide.com
Version 1.0 - Version Date: November 15, 2004

Adapted with permission from a work created by Tcat Houser et al.
CertiGuide.com Version Copyright 2004 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.