Tom's Hardware > All Reviews > Special > Miscellaneous > Internet Security Conference: No Slack

Insecure Code

06:00 - Tuesday 2 May 2000 by Elizabeth Connor

The security problem often lies within the Web application itself, as Eran Reshef from Perfecto Technologies demonstrated in his talk. The company performed audits on 37 major Web sites and 36 had significant problems at the application level that could be exploited in a matter of hours. While heavily secured at the network level, these sites still allowed hackers to execute Unix shell commands, download source and even submit SQL queries.

Web applications are usually custom-built, using insecure code developed internally combined with insecure code purchased from the outside. The external code could for example contain a backdoor left by the original programmer, giving him full access to the Web server. Other application hacking techniques include manipulation of hidden fields, parameter tampering and cookie poisoning.

Hidden fields are often used to save information about the client's session, eliminating the need to maintain a complex database on the server side. Normally a client does not see the hidden field, but it is relatively simple to display and change them. This method is for example used for 'electronic shoplifting' by changing the price of a product in an electronic shopping cart.

In case of parameter tampering, the failure to confirm the correctness of CGI parameters embedded inside a hyperlink can be used to break the site security. Reshef demonstrated how to display the database of an online pharmacy, revealing sensitive customer information. Cookies are not always cryptographically secure, and a hacker can modify them, thus returning information belonging to another user, basically stealing his identity while bypassing security measures like logins and passwords.

A far less sophisticated security problem lies in basic human error and negligence, according to Fred Avolio, independent security consultant and co-author of SENDMAIL: THEORY AND PRACTICE. In the beginning of the Internet, it was only used by scientists and engineers who were technically savvy. Today everybody has access to the network, from office administrator to CEO, and everything is 'point and click'. And sometimes all it takes is only one click to infect the whole network and all the computers connected to it with a virus. Just remember Melissa.

And then, there is of course the almost comical situation of the company that insisted it had a really good firewall. When Avolio went in and wanted to test it, they pointed to an unopened box sitting next to the server. Nobody had actually installed the software. Or as Marcus Ranum put it: 'You can design the best seatbelt in the world, and then your customer puts it around his neck'.