Factoring Malware Into Your Web Application Design

Vulnerabilities, exploits, and end-user security controls are all the rage in Web application security, but there's another element that Web developers often ignore: how the design of the application itself can leave the door open for attack.

The bad guys increasingly are using malware that's built to bypass end-user security controls and take advantage of a user's trust on a known Website, resulting in man-in-the-middle attacks, sophisticated SQL injections, and social engineering exploits that capitalize on browser flaws or other vulnerabilities.

"Assuming the statistics that 30 to 40 percent of the Internet is compromised, what does that mean to corporations trying to do business on the Net? That means 40 percent of your customers are compromised, and you probably can't trust anything coming from their systems," says Gunter Ollmann, vice president of research for Damballa.

To protect themselves and their online customers, Ollmann says Web developers need to take into account the complexity of their Web apps' design, as well as beefing up application monitoring and anti-fraud tools on the back end. That's in addition to regular patching and scanning, says Ollmann, who gave a presentation at the Hacker Halted conference last week on Web design issues and malware.

"We've forced more security to the end user," such as HTTPS and multifactor authentication, he says. And meanwhile, malware, such as banking Trojans, are able to bypass those security measures altogether with clever social engineering ploys, he says.

In online banking and retail, for instance, a transaction requires multiple page click-throughs. Not only is that more complex for the end user, but it also makes it easy for an attacker to insert a page or manipulate the user's experience with malicious pop-ups or a man-in-the-middle or other attack, Ollmann says. "And [studies have shown] users are going to click through no matter what the message says," he says.

If an end user's machine is infected, then even if he goes to his online banking portal with a secure token, that can be breached, as well.

Ollmann says reducing the complexity of a Web app and making it easier to navigate can help an end user spot fraud, too. "And more importantly, companies are spending valuable development resources in the wrong area. While they're trying to increase users' security, it has [often] already been defeated in the presence of malware," he says. "Spend more on the back end and make sure there are security processes on the server side, such as technology to identify fraud, to correlate [activity]."

Some tips Ollmann recommends are exploring whether your Web app's interface could be simplified; whether customers can spot additional fields or pages they must navigate; and whether customers would be able to recognize that changes had been made to page content.

Sites that require customers to make all of their contact, passwords, and other information changes online should consider an out-of-band verification process, for instance, Ollmann says. "If your phone number can be changed online, that means a cybercriminal can change the number to one he controls," he says. "When you design your application, think carefully about how much needs to be done online and how you will validate any online changes using an out-of-band process."

As for adding or augmenting your back-end processing protections, Ollmann suggests looking at thresholds for transactions per minute, and including anomaly detection for funds transfers to spot money mules, for example.

And look beyond tools that merely alert you of a potential attack. "These have no real way of responding besides alerting an admin," which gives the botnet operator a leg up, for instance, in transferring stolen money or funds with their tools. "Given the speed and pace of these attacks, we now have to factor in automated response beyond alerting about an attack," Ollmann says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.