Business Management

Abhay Bhargav (India) - The Business Impact of Enterprise Web Application

Enterprises have begun to enjoy tremendous business benefits by deploying Web Applications. In India, the trend has been no different; I have noticed that web application adoption has been happening across enterprises. E-Commerce applications have been adopted widely in India today, with multiple companies providing websites for online shopping, trading platforms, web-based auctions, etc. There has also been an explosion in online services where banking, share and commodity trading, and ticket booking, have gone online with thousands of users being added every day. Sensitive information is channeled everyday via these critical web applications.

In my experience with web application deployment in India, 8 out of every 10 websites that my company tests, we find serious web application holes that need to be fixed immediately. However, organizations find themselves developing/deploying insecure web applications, which may lead to massive data breaches, and thereby result in a great loss of revenue and reputation to the organization.

Flawed Logic and Coding Practices

According to a Gartner Study, 75% of applications are insecure because of flawed coding practices. Modern application attacks focus largely on attacking these flaws. For instance, SQL Injection is an attack whereby the attacker identifies vulnerabilities in the way the application validates user input and makes database calls. The attacker can inject targeted SQL queries into the application's input and gain access to the database. Another common attack resulting from flawed coding practices is Cross Site Scripting (XSS). XSS is an attack where the attacker can enter JavaScript into the application's input, and if the application does not effectively validate input, the JavaScript is executed on the user's browser where the attacker can do anything; like defacing or stealing other user's session credentials, or even something as extreme as bringing down the web application for a period of time. MySpace was one of the victims of something of this nature: a Cross Site Scripting worm.

Attackers use flaws in coding to perpetrate massive attacks against data. Their intention with most of these attacks is to compromise critical information that can be monetized. Information like credit card data, banking information, financial information is available in a large quantum from these attacks. Banking web applications and e-commerce applications are constantly under threat from these attackers. Internal attackers (yes, they hack web apps too) use data compromised from systems like ERP systems or Intranet web applications to steal business sensitive information like client information, financial information (pricing information, sourcing information). They then sell it to competitors or use it for corporate espionage. In fact, I have seen several instances of internal attackers using open source tools from the Internet to perpetrate these attacks and gain access to sensitive information.

Business logic is critical for web applications, and its utilization can yield rich dividends. For instance, let us suppose that an attacker can send negative values to an e-commerce shopping cart and the transaction still goes through. Or if a user with lower privileges can elevate his/her privileges to an administrative level through some kind of authorization flaw in the application. Business logic flaws are not the easiest to find, but frequent, users of an application may accidentally stumble upon them.

Financial Damages

Financially, a compromise of critical web applications would result in a serious loss of reputation. Attacks against the database or against other users, like SQL Injection and XSS, tend to be more complex compared to flaws in business logic. For instance, if a SQL injection attack against an e-commerce application results in thousands of credit cards being stolen, they would lose several customers due to the breach. They would also face legal sanctions if they haven't taken adequate measures to protect their data from theft according to the Indian IT Act 2000 (Amendment 2008).

In web application deployments like banking or online stock trading, certain attacks can be deadly. For instance, an attack called XSRF is particularly dangerous. For instance, let's assume that a user of a bank gets an apparently ‘legitimate' email from the bank, and has opened his bank account on another browser window or tab. If he clicks the link in the email, a phantom request is sent to the vulnerable banking website to perform a privileged function like transfer funds of a particular amount to the attacker's bank account. This is an attack that involves email phishing and web application attacks. Therefore it the attack can reach out thousands of bank account holders, and even if a small percentage of them click the link, the attacker stands to make a lot of money in fraudulent transfers.

By Abhay Bhargav, Founder and CTO at the we45 Group. Please visit the we45 website for further information.





« Dr Gang Lu (China) - In Focus: China's Microblogging Revolution


Joe Baguley (Europe) - The New Definition of 'Return on Investment' »


Do you think your smartphone is making you a workaholic?