How to Hack Web Applications

I’ve been evaluating Google’s Web Application and Defences tutorial over the past day or so. Based around a fictitious Web application called Jarlsberg, it consists of a series of exercises that allow the student to exploit the numerous security holes on the site. The vulnerabilities include Cross Site Scripting (XSS) in its many forms, Cross Site Request Forgery (XSRF), Path Traversal, Denial of Service (DoS), Privilege Escalation, AJAX vulnerabilities and remote code execution. The main absentees are SQL injection and buffer over flows.

Although a basic understanding of HTML and Javascript is necessary to understand the content, you don’t need to be an experienced web developer to benefit from the tutorial. Its main plus point is seeing exploits in action to demonstrate the damage they can cause. In the past I’ve sometimes had problems explaining quite why something like an XSRF vulnerability is a risk to a web site.

Web Application Vulnerability Trends

There is a recent report from Cenzic that produces statistics on Web vulnerabilities for Q1 and Q2 of 2009. Although such studies can be far from subjective, this one seems fairly well balanced and quotes, amongst others, NIST, US-CERT and SANS as sources.

Not surprisingly, web application vulnerabilities consisted of around 78% of all issues with old favourites Cross Site Scripting and SQL injection being the most significant.

The findings are somewhat disappointing as the vulnerabilities are not new and have appeared in the OWASP top 10 for many years. It suggests that more effort needs to be placed in good development practises as outlined here.

The report also has a section on browser vulnerabilities reporting that Firefox had 44% of all browser flaws over the period. As the Register points out, this isn’t really a true reflection of risk as other factors need to be considered such as vulnerability level, the time a manufacturer takes to fix it etc.