News

Bug Game Hunters: Web Applications are the next prey

Patrick Gray

Yesterday: Bug Game Hunters part one

Like many other bug hunters, Sydney's Chris Spencer believes Web application security will be a major challenge to come. "Web-based vulnerabilities are really going to become more important down the track," he says. "We will see more logic error vulnerabilities, issues based on poor security policies, poor configuration options, and authentication mechanisms."

Web security presents some particularly hairy challenges to those who maintain them. While software like Microsoft's Windows or Apple's OS X can be loaded on to a computer in someone's office and hacked away at all day, the same cannot be said for Web applications. Anyone attacking a hosted application -- like their Internet banking portal -- is asking for trouble.

Thus, those who maintain Web applications will only have one type of security researcher probing their systems for vulnerabilities -- the kind that don't care about breaking the law. (Podcast interview on this topic with Web application security expert Jeremiah Grossman here.) Sure, companies can hire security researchers to sift through their code, but they miss out on the benefit of the torture test that comes with throwing their product to the white-hat security wolves.

Indeed, the security vulnerability research field could be seeing a shift back to true hackery, where logic errors and the exploitation of undocumented "features" by miscreants redefine what a vulnerability is. Convicted hacker turned security consultant Adrian Lamo summed it up in a recent podcast interview. "It doesn't matter if an individual system is secure. Systems do not exist in a vacuum, individual security does not necessarily translate into security of the plurality. Its not like a pack of gazelles where it's the slowest one always gets picked off," he says.

In other words, complex systems may wind up being vulnerable when meshed together despite each individual system being secure. It's a philosophy that can be applied to networks, or even complicated software running on one machine. It's those errors in logic, not coding technique, that Lamo was able to most successfully exploit during his time on the wrong side of the law.

He describes one attack on a Web application used by a large organisation to control access to its intranet. "By altering the post headers that were set to the log in page, and removing the password field altogether... sure enough my suspicion based on the way other scripts had been written proved out to be correct on this one too. In the absence of an incorrect password since there is no error condition, then access was granted," he says.