Home > Ask the Security Experts > Application Security Questions & Answers > Web application variable manipulation
Ask The Security Expert: Questions & Answers
EMAIL THIS

Web application variable manipulation

Michael Cobb EXPERT RESPONSE FROM: Michael Cobb

Pose a Question
Other Security Categories
Meet all Security Experts
Become an Expert for this site


Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   


>
QUESTION POSED ON: 28 December 2005
What happens if a Web application uses client-side SSL certificates in addition to server-side certificates? Is Web application variable manipulation still possible?

>
EXPERT RESPONSE
Unfortunately, Web application variables can still be manipulated even when both client and server are using digital certificates to authenticate themselves and establish an SSL connection. In order to manipulate Web application variables an attacker uses an HTTP proxy tool. By adjusting the client's browser's proxy settings to pass through the HTTP proxy, all HTTP and HTTPS requests and responses can be channelled through the proxy before being forwarded to the server. This gives the attacker a window to view and alter all information passed in the browsing session, including any variables passed by the application in cookies, hidden form elements and URLs. The main threat from these proxy tools is they enable attackers to view and edit the information sent from the client to the server.

Not all "man-in-the-middle" proxy tools can handle SSL sessions when the client and the server use certificates, because they can't store the client certificate for handshaking or logon. However, if they import the required client certificate prior to handshaking or logon, the Paros Proxy can intercept and modify HTTPS data, even when applications require a client certificate. Although the client and the server may be trusted, the attacker can modify any part of the request and response before forwarding it.

Paros is a very powerful program and can be used to evaluate the security of Web applications. It is free of charge and completely written in Java. It has several tools including a record feature, which keeps a history of all HTTP requests and responses. This feature allows the developer or attacker to review all of the actions, pages and variables. It also includes automated vulnerability scanning and detection capabilities for some common Web application attacks, including SQL injection and cross-site scripting. Paros also scans for unsafe Web content, such as unsigned ActiveX controls and browser exploits sent by the target Web server. For more information about Paros visit the Web site at http://www.parosproxy.org.

More Information

  • Visit our Web application security resource center for news, tips and additional expert advice.

  • Learn how to improve Web site security by securing Web applications from authenticated users and avoiding client-side authentication.

    		•

    Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   


    RELATED CONTENT
    Application Security
    Can IBM's SMash technology secure Web applications?
    Why is backscatter spam so difficult to block?
    What are the risks of disabling the User Account Control (UAC) feature on Windows Vista?
    Protecting exposed servers from Google hacks (and Google 'dorks')
    Which automated quality assurance tools can be used to test software?
    Has proof-of-concept mobile device malware translated into any meaningful attacks?
    Is it possible to ban chat programs on an enterprise LAN?
    How to test the security of personal details submitted to a website
    Is security improved when the number of Internet gateways is reduced?
    Are Internet cafe users' email credentials at risk?

    Web Application Security (Also see Web Access Control)
    Symantec to acquire MessageLabs for SaaS model
    Clickjacking details released after attack proof-of-concept emerges
    Billy Hoffman on AJAX security and browser attacks
    Data risks take shine off Google Chrome
    Verizon breach study identifies industry specific threats
    IronPort feature detects exploited websites
    PCI DSS 1.2 clarifies wireless, antivirus use
    MySpace, Facebook ignoring basic principles of security
    Positive changes coming to ModSecurity
    Kaminsky: DNS flaw capable of attacks on many fronts

    PKI and Digital Certificates
    What is the best way to administer exams to students via computer?
    Should computer exams be transmitted as PDF files or Word files?
    Should PKI systems be used for laptop encryption?
    Email authentication showdown: IP-based vs. signature-based
    VeriSign to shed businesses, return to security roots
    How do anonymous credentials and selective disclosure certificates affect enterprise IAM?
    Choosing from the top PKI products and vendors
    Can the symmetric encryption algorithm for S/MIME messages be changed?
    Securing VoIP Networks: Threats, Vulnerabilities and Countermeasures
    Creating a personal digital certificate
    PKI and Digital Certificates Research

    RELATED GLOSSARY TERMS
    Terms from Whatis.com − the technology online dictionary
    anonymous Web surfing  (SearchSecurity.com)
    buffer overflow  (SearchSecurity.com)
    cache cramming  (SearchSecurity.com)
    cookie poisoning  (SearchSecurity.com)
    dictionary attack  (SearchSecurity.com)
    distributed denial-of-service attack  (SearchSecurity.com)
    JavaScript hijacking  (SearchSecurity.com)
    National Computer Security Center  (SearchSecurity.com)
    threat modeling  (SearchSecurity.com)
    trigraph  (SearchSecurity.com)

    RELATED RESOURCES
    2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems
    Search Bitpipe.com for the latest white papers and business webcasts
    Whatis.com, the online computer dictionary



    Search and Browse the Expert Answer Center
    Search and browse more than 25,000 question and answer pairs from more than 250 TechTarget industry experts.
    Browse our Expert Advice



    Find Security Solutions for Your Business
    Targeted Security Channel Tips for Resellers, Integrators and Consultants
    TechTarget Security Media
    Information Security View this month\\'s issue and subscribe today.
    Information Security Decisions Apply online for free conference admission.
    		SearchSecurity.com
    HomeNewsMagazineMultimediaWhite PapersLearningAdviceTopicsEventsAbout Us
    SEARCH :     Site Index Powered by: Search Powered by Google

    About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
    TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organizations' IT projects - with its network of technology-specific Web sites, events and magazines.

    TechTarget Corporate Web Site  |  Media Kits  |  Reprints  |  Site Map




    All Rights Reserved, Copyright 2003 - 2008, TechTarget | Read our Privacy Policy     		  TechTarget - The IT Media ROI Experts