Event: Web Application Security Seminar Event Type: Seminar Organiser: AppCheck (https://appcheck-ng.com/) Date: Friday 6th September 2019 Location: Stamford Bridge, Chelsea Football Ground
Web application security is becoming an increasingly popular topic in the Cyber Security industry. With more and more attacks happening against websites resulting in people’s personal information being leaked and hefty fines for website owners it is no wonder companies are paying more attention to the security of their websites and not just their physical devices.
This seminar explored the security threats that website administrators face and included live hacking demonstrations. Presenter and Co-Founder of AppCheck Gary O’leary-Steele demonstrated some of the most common security breaches websites experience. Gary then explained how AppCheck help website administrators discover and rectify their security flaws.
This event started by looking at the most common security vulnerabilities in websites. Open Web Application Security Project (OWASP) is a well respected organisation within the internet security industry. As OWASP is independent and therefore unbiased it is a reliable tool for recording the most common security breaches experienced by websites.
OWASP unsurprisingly confirmed that the top security breach against websites is code injections, normally through SQL. Why? Well where is all the valuable data kept for websites? In the database of course, therefore it’s no surprise that databases become a key target for hackers.
SQL Injection
Gary demonstrated some of the ways SQL could be injected with malicious code either to leak information from the database or exploiting login forms to allow a hacker to log into a website as an administrator without needing the password. I will not go into depth on these exploits as this article is intended to cover the basics of the event and security topics such as the ones covered in this event really deserve their own in depth article, which I intend to add to this website.
In brief, login forms could be manipulated by entering specially crafted SQL code into the username box that will tell the compiler to ignore the request for a password to be provided. The exact code to put into the login box depends on the type of SQL database being used as well as the code syntax used for the login form. Now you’re thinking “but we don’t get to see the code or the SQL database as a website visitor” and you’re right…well sort of. Of course you can always “view source code” in your browser to see what code is available to view but regardless, you don’t need to see the code to find out this information. Certain code and SQL queries can be submitted through the login box or directly in the URL to make the website produce errors. The errors will reveal information about the database which will help you with deciding the query syntax required to breach the database.
As this article is already becoming quite long I will not go into further details on other vulnerabilities that were discussed at the event. However if you are interested in knowing what the biggest threats are to websites then be sure to research “OWASP Top 10”. I will produce a blog on steps you can take to protect your website and mitigate the risks of having it hacked.
AppCheck provide tools that can be hosted by them or locally on your network (useful if you want to scan internal websites) which will scan your websites for known vulnerability and provide you with a detailed report of the vulnerabilities discovered and how to rectify them. AppCheck’s tool is designed to be automated and accurate, providing you with the same results human pen testers would achieve but from an automated and artificial intelligence system available 24/7.
Summary
In Summary this event was quite interesting and very useful. Demonstrations showed just how easy it is to obtain information and exploit a website, including systems belonging to very large corporations. Being a Manchester United fan it also pains me to admit the conference room at Stamford Bridge was quite pleasant along with the food they served. Websites are constantly under threat as exploiting websites is one of the easiest and most effective ways to target an organisation, damage their reputation and cause them severe financial repercussions. It is very easy for companies to concentrate on protecting their endpoints and overlook protecting their website. This is certainly something us Cyber Security professionals need to raise awareness of.