Free Newsletter
Register for our Free Newsletters
Access Control
Deutsche Zone (German Zone)
Education, Training and Professional Services
Government Programmes
Guarding, Equipment and Enforcement
Industrial Computing Security
IT Security
Physical Security
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor

Fortify discovers systematic web hacking route

Fortify : 09 June, 2008  (Technical Article)
Systematic vulnerability in web security could affect all web authorisation security applications
Fortify Software has issued a warning to its customers and other companies about a bug in Web authorisation technology.

The problem, says Rob Rachwald, Fortify's director of product marketing, lies with the VBAAC (Verb-based access and authentication control) aspect of Web security technology.

'The flaw is unusual in being systemic and therefore not directed at any one vendor's products, and is essentially a bug in a security feature,' he said, adding that the most popular J2EE container applications all have the flaw inherent in their authorisation procedures.

According to Rachwald, the flaw allows hackers to manipulate the http: verb to by-pass otherwise effective security controls.

'For example, a piece of http: code might seek to limit access to a given directory except for those users logged in with ADMIN rights. Exploiting the flaw means that, instead of blocking approaches not specified in a security rule, the code allows almost any method that is not specified,' he said.

'Using this approach leaves the system open to infection by malware, or perhaps worse, by listing specific methods in the security rule, software developers end up opening the system a lot wider than they originally intended,' he added.

The flaw, says Rachwald, can be prevented by programming the Web and application server system to disallow non-standard requests such as HEAD, as well as never serving the JSPs directly but placing all the JSP-INF files into a container (e.g. WEB-INF) and limiting calls to that container.

'Direct calls to JSPs should be avoided if at all possible. Developers should always invoke the request from the environment they are expected to be in and not from a dictionary collection of request data,' he explained.

The flaw was discovered by Aspect Security, whose director of research, Darshan Dabirsiaghi, has penned a paper on the new types of flaws as they relate to VBAAC technology.

Bookmark and Share
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
   © 2012
Netgains Logo