Curb your Website's Vulnerabilities

Website security is often the most overlooked as-pect of securing information in an organization.This is more pertinent in mid-sized organiza-tions, who may not have the required resources (financialand manpower) exclusively for analyzing their portal se-curity. That's why, hackers have shifted their focus to-wards identifying and exploiting vulnerable websites.Instead of targeting static web pages, they concentrate onattacking web applications like shopping carts, loginpages, forms and other dynamic content. Since the web ap-plications are available 24x7 and accessible from any-where in the world, they provide hackers with easy accessto the backend organizational database. And such insecurewebsites also provide a perfect platform for hackers to launchcriminal activities like hosting phishing sites or to transfer il-licit content, while abusing the website's bandwidth andmaking the website owner culpable of those unlawful acts.

Since web applications include shopping carts, forms, lo-gin pages and dynamic contents that are designed in a man-ner to allow website visitors to submitand retrieve data.Suppose these web applications aren't secured, then theentire organization's database connected to the website is at serious risk. Even Gartner's study revealsthat 75% of cyber attacks are done at the web application level.

Common website attacks

Hackers use an arrays of attacks against organizations'websites for exploiting their vulnerabilities. The most com-mon of these attacks are Cross Site Scripting (XSS), Direc-tory Traversal Attacks, Parameter Manipulation (e.g., URL,Cookie, HTTP headers, web forms), Authentication At-tacks, and Directory Enumeration.

1. Cross-site scripting (XSS)

It is the most common type of attack to exploit website vul-nerabilities in which the attackers inject client-side scriptinto web pages being viewed by other users. This way, at-tackers inject code through which drive-by downloads ofmalware happen at the website visitor's end or illicit con-tent opens up as pop-up windows. Cross-site scripting holesare web application vulnerabilities that allow attackers toby-pass client-side security mechanisms which are usuallyimposed on the web content by most modern browsers.Hackers find ways of injecting malicious scripts into webpages through which they can gain elevated access privi-leges to sensitive page content, session cookies, and vari-ous other parameters that enclose information wherebrowsers store user's information. The impact of such at-tack on such vulnerability would range from petty nuisanceto significant security breach, mostly depending on the sen-sitivity of the data held by such exploited vulnerability.

2. Directory traversal

As the name suggests, it's an exploit that tries to access thecomputer files that is not intended to be accessible. It usessimple GET or other type of HTTP requests; any malicioususer can send a request for a file or a directory by addingone or more “../” directives to the string. Each “../” meansto go up one directory, if your application allows this to hap-pen, then that malicious user can traverse through yourwebsite directories and can manipulate data as well.

3. Parameter manipulation

This attack is based on manipulating the parameters ex-changed between the client and the server with the goal be-ing to modify the application data such as user credentials,price of products, discounts, access rights, etc. The attackeruses the information stored in cookies, URL query strings,hidden form fields etc. to gain application control. The suc-cess of such attacks depends on application integrity andlogic validation mechanisms, and exploitation of these canalso result in attacks like XSS and directory traversal.

4. Authentication attacks

For any web application authentication plays a critical role.And that's what is always on attack radars of hackers. Theauthentication protocols operate over HTTP (or SSL), withcredential details embedded right in the request/responsetraffic. The attack is not a technological security hole, butrather it depends on how securely stored and complex thepasswords are and how easy it is for attackers to gain serveraccess. Attackers can break into the system either by usingguess passwords or by using tools that attempt to authen-ticate by using list of user names and passwords, diction-ary attack, etc. Once the attacker proves to system he's aknown user he can exploit the privileges assigned to thatuser by the administrator.

5. Directory enumeration

It is a type of attack in which the attacker tries to make thetarget host enumerate the various resources available onthat host system. These resources could be user namesand their privileges, policies, services etc. Attackers usetools such as http-dir-enum and DirBuster to list the direc-tories that exist on the attacked website. Attackers can ex-ploit this to gain access to restricted applicationdirectories.

Tools to combat website security

It is critical for organizations to put website security a pri-ority on their online strategy. And for that there are toolsand applications available that can help in identifying thevulnerabilities so that corrective actions could be taken toplug those gaps and secure the organization's informationbefore they can be leaked through website exploits byhackers.

Acunetix web vulnerability scanner

One such tool to check for website vulnerabilities isAcunetix Web Vulnerability Scanner (WVS). It employshighly advanced heuristics and rigorous technologies de-signed to tackle the complexities of today's highly compet-itive businesses that are highly dependent on web-basedenvironments. With the advent of web 2.0 and RIAs, thecontent on web pages is highly dynamic now as comparedto static pages of the era bygone. This has caused web ap-plications to be dependent on client side scripts like AJAXand JavaScript. Acunetix WVS automatically scans for ex-ploitable vulnerabilities and offers a strong solution for an-alyzing web applications to see the robustness of such Web2.0 web applications and ensure that there is no vulnera-bility that gets overlooked.

Features

Acunetix WVS is an automated web application securitytesting tool that performs the audit of the web applicationsby checking for vulnerabilities like SQL Injections, Crosssite scripting and other exploitable hacking vulnerabilities.In general, Acunetix WVS can scan any website or web ap-plication that is accessible via a web browser and that re-spects HTTP/HTTPS protocol.

It is ideal solution for any small and mid-sized organi-zation that can't afford expensive website security toolsand thus can download Acunetix WVS which is a free edi-tion. With such a solution organizations can ensure thattheir websites are secured from exploits so that their cus-tomers and vendors data remains intact.

How Acunetix works

Acunetix WVS features a wide array of automatic and man-ual testing tools that crawls the entire website by follow-ing all the links on the site and in the robots.txt file andsitemap.xml (if available). WVS then maps out the websitestructure and display the detailed information about everyfile that it detects from the site structure. Then WVS auto-matically launches a series of vulnerability attacks on eachpage found, in essence emulating a hacker. Also, WVS an-alyzes each page for places where it can input data, and sub-sequently attempts all the different input combinations. Asvulnerabilities are found, Acunetix WVS reports these in the'Alerts' node. Each alert contains information about the vul-nerability such as POST variable name, affected item, httpresponse of the server and more. The following steps showshow one can do a complete scan for vulnerabilities in a web-site. To start a website scan click File > New > New Web-site Scan that initiates the Scan Wizard.