Resources

Website Security Whitepaper

Website Security 101

Download a Complimentary Copy of this Whitepaper ›››

Over 700 million people worldwide bank, shop, buy airline tickets, and perform research using the World Wide Web. With each transaction, private information, including names, addresses, phone numbers, credit card numbers, and passwords, are routinely transferred and stored in a variety of locations. Billions of dollars and millions of personal identities are at stake every day. In the past, security professionals thought firewalls, Secure Sockets Layer (SSL), patching, and privacy policies were enough to protect websites from hackers (see 5 Myths of Website Security). Today, with prominent Web attacks taking place seemingly every week, the industry knows better.

The Web Application Security Consortium (WASC) has identified twenty-four classes of Web attacks, including Cross-Site Scripting (XSS) and SQL Injection, used to prey upon corporations, their customers, and educational institutions. These attacks are forcing many organizations to take a hard look at their existing website security posture. In many cases, web application or website security is a new concept with many facets. This paper will examine the fundamental components of a website, entry points of Web attacks, attack methodologies, and suggested preventive measures for effective and complete website vulnerability management.

The Basics

The best way to begin exploring website security is by learning how the Web works. While most IT professionals are very comfortable with using a Web browser to surf the Web, few of us look behind the application, at the client-server structure that powers the Web. This structure governs the way Web browsers (Firefox, Microsoft Internet Explorer) must communicate with Web servers (Apache, Microsoft IIS) to retrieve Web pages. To peer deeper into the world of the Web, we’ll begin by looking at the Web browser location bar.

All major Web browsers possess a location bar that displays the Web address (URL) of the current Web page. URL manipulation is one of the many ways to launch a Web application attack. And yet, they (location bars) are required to enable customers, partners, and hackers to view your website. URL’s are used to uniquely identify the location of a Web page or on-line resource. When traveling from one Web page to the next, the displayed URL is updated. URLs, also referred to as links, are commonly embedded in Web pages to click on to visit other pages. URLs also tell us a lot about a website. They tell us what type of communication they expect, what type of operating system they run, the type of Web application code is being used, and more. We’ll be exploring the anatomy of URLs closely in the following section and we’ll look at how each section can be vulnerable to attack.

About the Author ::
Jeremiah Grossman is the founder and CTO of WhiteHat Security. Mr. Grossman is a world-renowned expert in Web security, co-founder of the Web Application Security Consortium, and recently named to InfoWorld's Top 25 CTOs for 2007. He has authored dozens of articles and white papers, is credited with the discovery of many cutting-edge attack and defensive techniques, and co-author of the recently published book, Cross-Site Scripting Attacks. Mr. Grossman is frequently quoted in business and technology publications such as InfoWorld, USA Today, PC World, Dark Reading, SC Magazine, SecurityFocus, C-Net, CSO Magazine, and InformationWeek.