Web application hacking: Inside the mind of an attacker

There's a tried and true method for seeking out the maximum number of vulnerabilities possible when testing your Web applications for security flaws. No, it's not a high-end Web application vulnerability scanner but rather a free "technique" that you can improve over time. You may not learn the methods overnight, but once you do, it's virtually guaranteed to take your Web vulnerability testing to the next level. It's stepping into the mindset of a malicious attacker and delving in to see what else in the Web application can be exploited.

Many people refer to this approach as penetration testing, but it's actually more than that. Technically speaking, it's called ethical hacking. This term always generates a few giggles, but it's indeed a valid form of security testing. The thing is, you'll find that by looking at your Web applications from the dark side you'll uncover and exploit weaknesses that automated scanners or checklist audits wouldn't touch in a thousand years.

The malicious mindset isn't limited to the stereotyped "hacker" as we know him. Anyone can have a malicious mindset -- not just an outsider. So, think about what an authenticated and trusted insider could do. In many cases, it's not going to be fancy cross-site scripting (XSS) or SQL injection but rather basic login mechanism tampering or URL or form field manipulation. Maybe even exploiting file transfer capabilities or disabling certain security features that no one knew he had access to.

Here's a perfect example of hacking Web applications from inside the attacker's mind:

While working on a project recently, I came across an internal Web server that hosted the security management/control application for the organization's data center. When trying to log in to the application, it prompted me for the password. I didn't have it. This is where most security scans and checklist audits would stop. But taking things further, I thought I'd Google the Web server and appl

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Application Security Strategies Fixing four Web 2.0 input validation security mistakes Social engineering training could disrupt botnet growth Web security problems: Five ways to stop login weaknesses Common mistakes in real-time Java programming Preparing for testing applications in the cloud The role of quality assurance (QA) pros in software security Common software security risks and oversights Using the Firefox Web Developer extension to find security flaws Web application security testing checklist How to develop secure applications Software security testing and techniques Fixing four Web 2.0 input validation security mistakes Commonly-overlooked security flaws in rich Internet applications Web security problems: Five ways to stop login weaknesses 10 steps to acing Web app security assessments Hack maliciously to boost your software's security Software Testing: How to know you're ready to start testing Software security best practices: Roles developers must play The role of quality assurance (QA) pros in software security What is fuzz testing? What are some ways to use fuzz testing? Software security: Removing insecurity from outsourced development

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

ication name (which were conveniently displayed on the login page) along with the words "default password". Within about 3 seconds I had the default login ID and password, and sure enough, they worked!

Having more malicious thoughts, I went on to see what else could be done with the data center's controls. Conveniently, I now had the ability to do the following:

Had this been a real-world intrusion, the attacker would have "owned" the system and had at his disposal all the right things to cause systems to crash, enable future access and cover his tracks. This is what the malicious mindset is all about: figuring out what can be done to perform dirty deeds in the shortest time possible with the least chance of getting caught.

Other examples of hacking Web applications from inside the attacker's mind that I've come across:

The possibilities are endless.

Criminals are thinking malicious thoughts, and we as IT and security professionals need to as well if we're going to defend against them. You can test this malicious mindset concept anywhere. The next time you're at a friend's house or in the grocery store, look around and see what can be exploited for ill-gotten gains. Things like door hinges accessible from the outside of a house to a harried father walking 50 feet ahead of his toddler are weaknesses just waiting to be exploited. All it takes is one bad guy to come along and act upon it.

Work on this over and over again to sharpen your malicious eye and use an otherwise negative approach to security weaknesses in a positive way. Noticeable changes will soon follow.

-----------------------------------------
About the author: Kevin Beaver is an independent information security consultant, speaker, and expert witness with Atlanta-based Principle Logic, LLC where he specializes in performing independent security assessments. Kevin has authored/co-authored six books on information security, including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley). He's also the creator of the Security On Wheels blog and information security audio books providing security learning for IT professionals on the go. Kevin can be reached at kbeaver@principlelogic.com.