CHAPTER 21

WEB-BASED VULNERABILITIES

Anup K. Ghosh, Kurt Baumgarten, Jennifer Hadley, and Steven Lovaas

21.1 INTRODUCTION

21.2 BREAKING E-COMMERCE SYSTEMS

21.3 CASE STUDY OF BREAKING AN E-BUSINESS

21.4 WEB APPLICATION SYSTEM SECURITY

21.5 PROTECTING WEB APPLICATIONS

21.6 COMPONENTS AND VULNERABILITIES IN E-COMMERCE SYSTEMS

21.6.1 Client-Side Risks

21.6.2 Network Protocol Risks

21.6.3 Business Application Logic

21.6.4 CGI Script Vulnerabilities

21.6.5 Application Subversion

21.6.6 Web Server Exploits

21.6.7 Database Security

21.6.8 Platform Security

21.7 SUMMARY

21.8 FURTHER READING

21.9 NOTES

21.1 INTRODUCTION.

This chapter systematically reviews the primary software components that make up Web applications, with a primary focus on e-commerce, and provides an overview of the risks to each of these components.¹ The goal of this chapter is to point out that every system will have risks to its security and privacy that need to be systematically analyzed and ultimately addressed.

21.2 BREAKING E-COMMERCE SYSTEMS.

To make a system more secure, it may be advisable to break it. Finding the vulnerabilities in a system is necessary in order to strengthen it, but breaking an e-commerce system requires a different mind-set from that of the programmers who developed it. Instead of thinking about developing within a specification, a criminal or hacker looks outside the specifications.

Hackers believe that rules exist only to be broken, and they always use a system in unexpected ways. In doing ...