WhiteHat Security Whitepapers


Software-as-a-Service Brief vs. "Do-it-Yourself" with a Web Application Scanner – Technical Brief :: January 2008

Software-as-a-Service (SaaS) is the efficient, modern way of delivering applications and securing them. Google, Salesforce.com, Amazon, and many other forward thinking companies have set the stage for SaaS adoption. Payroll, email, spam & malware filtering, CRM, financial services, order processing, and even network vulnerability management are popular solutions already rapidly taking advantage of the SaaS model. The economics and business efficiencies are simply too compelling to pass up. As the industry leader for website vulnerability management delivered via SaaS, WhiteHat Security is demonstrating its value to the enterprise. :: PDF icon Download 1.2 MB PDF »

7 Business Logic Flaws That Put Your Website At Risk :: September 2007

Session handling, credit card transactions, and password recovery are just a few examples of Web-enabled business logic processes that malicious hackers have abused to compromise major websites. There are many forms of business logic vulnerabilities commonly exploited by attackers. These vulnerabilities are routinely overlooked during QA because the process is intended to test what a piece of code is supposed to do and not what it can be made to do. The other problem(s) with business logic flaws is scanners can’t identify them, IDS can’t detect them, and Web application firewalls can’t defend them. Hardly a winning trifecta. Plus, the more sophisticated and Web 2.0 feature rich a website, the more prone it is to have flaws in business logic due to the complexities involved.

As the number of common vulnerabilities such as SQL Injection and Cross-Site Scripting are reduced, the bad guys are increasing their attacks on business logic flaws. Following are real-world scenarios that demonstrate how pernicious and dangerous business logic flaws are to the security of a website. We’ll also show how best to spot them and provide organizations with a simple and rational game plan to prevent them. :: download 3.83 MB PDF »

10 Things You Should Know About Website Security :: June 2007

Phishing schemes. Stolen credit card numbers. Identity theft. Web applications have emerged as the target of choice for money hungry hackers. Attacks have moved from the network to the everyday web applications that people use to manage their lives—online shopping and banking, healthcare information management, insurance payments, travel booking and college applications.

The ramifications for companies are clear – loss of data, loss of consumer confidence and loss of brand integrity. No company can afford the black mark of a website hack. With many states mandating full disclosure, and the federal government close behind with its own efforts, the luxury of keeping these incidents behind closed doors has passed. Organizations must develop a strategy for web application security. :: read more »

Automated Scanning vs the OWASP Top Ten :: June 2007

The OWASP Top Ten is a list of the most critical website security flaws – a list also often used as a minimum standard for website vulnerability assessment (VA) and compliance. There is an ongoing industry dialog about the possibility of identifying the OWASP Top Ten in a purely automated fashion (scanning). People frequently ask what can and can’t be found using either white box or black box scanners. This is important because a single missed vulnerability, or more accurately exploited vulnerability, can cause an organization significant financial harm. Proper expectations must be set when it comes to the various vulnerability assessment solutions. :: read more »

Cross Site Request Forgery (CSRF) :: August 2007

Cross-Site Request Forgeries (CSRF) . Session Riding. Client-Side Trojans. Confused Deputy. Web Trojans. Confused? Every year, for the past several years, the exact same Web attack is discovered, analyzed, and subsequently renamed. Whatever it’s called, it all means the same thing: An attacker is forcing an unsuspecting user’s browser to send requests they didn’t intend and potentially compromising their own banking, e-commerce or other website accounts.

Attackers have begun to actively exploit CSRF vulnerabilities across the Web. Why now? Because it’s incredibly easy and the vast majority of websites are vulnerable to it. How do you stop an attack originating from a “real user,” who could be properly logged-in, from making a legitimate request - except the problem is they did not intend to make the request? :: read more »

Cross Site Scripting Worms and Viruses :: June 2007

On October 4, 2005, the "Samy Worm1" became the first major worm to use Cross-Site Scripting2 (“XSS”) for infection propagation. Overnight, the worm altered over one million personal user profiles on MySpace.com, the most popular social networking site in the world. The worm infected the site with JavaScript viral code and made Samy, the hacker, everyone's pseudo "friend" and "hero."3 MySpace, at the time home to over 32 million users and a top-10 trafficked website in the U.S. (Based on Alexa rating), was forced to shutdown in order to stop the onslaught.

Samy, the author of the worm, was on a mission to be famous, and as such the payload was relatively benign. But consider what he might have done with control of over one million Web browsers and the gigabits of bandwidth at their disposal – browsers that were also potentially logged-in to Google, Yahoo, Microsoft Passport, eBay, web banks, stock brokerages, blogs, message boards, or any other web-based applications. It’s critical that we begin to understand the magnitude of the risk associated with XSS malware and the ways that companies can defend themselves and their users. Especially when the malware originates from trusted websites and aggressive authors. :: read more »

Top 5 Myths of Website Security :: June 2007
Hackers behave like water, taking the path of least resistance. Today this path leads over SSL, and past the firewall, where nothing exists between them, the website, and the information it holds. This is how a Web hacker views the world. Using a browser and a few simple tricks, hackers can penetrate a website, access the credit card database, and make off with critical data, customer databases or even intranet information, unseen. With network firewalls and patch management now standard practice, the network perimeter has become increasingly secure. Determined to stay a step ahead, hackers have moved up the software stack, focusing on the website itself. Gartner Group has stated that over 70% of cyber attacks occur at the application layer. Even more alarming, WhiteHat Security has found that 8 in 10 websites currently have serious vulnerabilities. :: read more »

Technology Alone cannot Defeat website Attacks:
Understanding Technical vs. Logical Vulnerabilities :: June 2007

On November 11th, 2003, the chess-playing machine X3D Fritz tied grandmaster and former world champion Garry Kasparov in a four-game match. In this classic contest of Man vs. Machine, X3D Fritz performed so impressively that the game was heralded as a victory for artificial intelligence. X3D Fritz’s powerful play was achieved by calculating millions of moves per second accompanied by gigabytes of stored positions. Each time Kasparov moved a chess piece, X3D Fritz would analyze the board by drawing upon its vast knowledge base to select the best possible move. So what do chess, the world’s most dominant computer chess machine, and Garry Kasparov have to do with website security? :: read more »

Website Security 101 :: June 2007

Over 700 million people worldwide bank, shop, buy airline tickets, and perform research using the World Wide Web. With each transaction, private information, including names, addresses, phone numbers, credit card numbers, and passwords, are routinely transferred and stored in a variety of locations. Billions of dollars and millions of personal identities are at stake every day. In the past, security professionals thought firewalls, Secure Sockets Layer (SSL), patching, and privacy policies were enough to protect websites from hackers . Today, with prominent Web attacks taking place seemingly every week, the industry knows better. :: read more »

Vulnerability Assessment Plus Web Application Firewall
(VA+WAF) :: June 2008

VA + WAF (F5 Networks) WhitepaperInside an enterprise lives an IT security professional responsible for website security. He takes his job seriously, because if his employer’s websites get hacked, he gets the late night call from the boss upstairs. A big part of the job requires educating developers on the importance of secure coding and informing the business owners of Web security risks. He does this because no amount of patching or firewalling will fend off an attacker with a Web browser. While doing everything within his power, there’s still a total lack of control in protecting the websites he’s responsible for. He can’t find the vulnerabilities with a traditional network scanner, nor can he fix them in website(s) when they’re found without developer involvement. But, this is all about to change.
Download Whitepaper ›››

 

About the Author ::
Jeremiah Grossman is the founder and CTO of WhiteHat Security. Mr. Grossman is a world-renowned expert in Web security, co-founder of the Web Application Security Consortium, and recently named to InfoWorld's Top 25 CTOs for 2007. He has authored dozens of articles and white papers, is credited with the discovery of manycutting-edge attack and defensive techniques, and co-author of the recently published book, Cross-Site Scripting Attacks. Mr. Grossman is frequently quoted in business and technology publications suchas InfoWorld, USA Today, PC World, Dark Reading, SC Magazine, SecurityFocus, C-Net, CSO Magazine, and InformationWeek.