Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


02:21 PM
Connect Directly

Factoring Malware Into Your Web Application Design

Web developers need to consider the complexity of their Web apps' design, as well as beefing up application monitoring and anti-fraud tools on the back end

Vulnerabilities, exploits, and end-user security controls are all the rage in Web application security, but there's another element that Web developers often ignore: how the design of the application itself can leave the door open for attack.

The bad guys increasingly are using malware that's built to bypass end-user security controls and take advantage of a user's trust on a known Website, resulting in man-in-the-middle attacks, sophisticated SQL injections, and social engineering exploits that capitalize on browser flaws or other vulnerabilities.

"Assuming the statistics that 30 to 40 percent of the Internet is compromised, what does that mean to corporations trying to do business on the Net? That means 40 percent of your customers are compromised, and you probably can't trust anything coming from their systems," says Gunter Ollmann, vice president of research for Damballa.

To protect themselves and their online customers, Ollmann says Web developers need to take into account the complexity of their Web apps' design, as well as beefing up application monitoring and anti-fraud tools on the back end. That's in addition to regular patching and scanning, says Ollmann, who gave a presentation at the Hacker Halted conference last week on Web design issues and malware.

"We've forced more security to the end user," such as HTTPS and multifactor authentication, he says. And meanwhile, malware, such as banking Trojans, are able to bypass those security measures altogether with clever social engineering ploys, he says.

In online banking and retail, for instance, a transaction requires multiple page click-throughs. Not only is that more complex for the end user, but it also makes it easy for an attacker to insert a page or manipulate the user's experience with malicious pop-ups or a man-in-the-middle or other attack, Ollmann says. "And [studies have shown] users are going to click through no matter what the message says," he says.

If an end user's machine is infected, then even if he goes to his online banking portal with a secure token, that can be breached, as well.

Ollmann says reducing the complexity of a Web app and making it easier to navigate can help an end user spot fraud, too. "And more importantly, companies are spending valuable development resources in the wrong area. While they're trying to increase users' security, it has [often] already been defeated in the presence of malware," he says. "Spend more on the back end and make sure there are security processes on the server side, such as technology to identify fraud, to correlate [activity]."

Some tips Ollmann recommends are exploring whether your Web app's interface could be simplified; whether customers can spot additional fields or pages they must navigate; and whether customers would be able to recognize that changes had been made to page content.

Sites that require customers to make all of their contact, passwords, and other information changes online should consider an out-of-band verification process, for instance, Ollmann says. "If your phone number can be changed online, that means a cybercriminal can change the number to one he controls," he says. "When you design your application, think carefully about how much needs to be done online and how you will validate any online changes using an out-of-band process."

As for adding or augmenting your back-end processing protections, Ollmann suggests looking at thresholds for transactions per minute, and including anomaly detection for funds transfers to spot money mules, for example.

And look beyond tools that merely alert you of a potential attack. "These have no real way of responding besides alerting an admin," which gives the botnet operator a leg up, for instance, in transferring stolen money or funds with their tools. "Given the speed and pace of these attacks, we now have to factor in automated response beyond alerting about an attack," Ollmann says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Can Your Patching Strategy Keep Up with the Demands of Open Source?
Tim Mackey, Principal Security Strategist, CyRC, at Synopsys,  6/18/2019
Florida Town Pays $600K to Ransomware Operators
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/20/2019
Pledges to Not Pay Ransomware Hit Reality
Robert Lemos, Contributing Writer,  6/21/2019
Register for Dark Reading Newsletters
White Papers
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-06-24
The QMP migrate command in QEMU version 4.0.0 and earlier is vulnerable to OS command injection, which allows the remote attacker to achieve code execution, denial of service, or information disclosure by sending a crafted QMP command to the listening server.
PUBLISHED: 2019-06-24
The QMP guest_exec command in QEMU 4.0.0 and earlier is prone to OS command injection, which allows the attacker to achieve code execution, denial of service, or information disclosure by sending a crafted QMP command to the listening server.
PUBLISHED: 2019-06-23
BlueStacks App Player 2, 3, and 4 before 4.90 allows DNS Rebinding for attacks on exposed IPC functions.
PUBLISHED: 2019-06-23
apps/gsudo.c in gsudo in ToaruOS through 1.10.9 has a buffer overflow allowing local privilege escalation to the root user via the DISPLAY environment variable.
PUBLISHED: 2019-06-23
Shopware before 5.5.8 has XSS via the Query String to the backend/Login or backend/Login/load/ URI.