Decoding The Web Application Protection: Understanding Attacker Handling

Ravitej Bandlekar
5 min readOct 18, 2023
Source: www.safeaeon.com

When creating an application, especially when security is a significant concern, it’s vital to acknowledge the likelihood of it becoming a prime target for determined and highly skilled attackers. This highlights the necessity of making security an inherent part of the development process and adopting a proactive approach in uncovering and addressing vulnerabilities. It’s a reminder that security should be integrated from the outset and that ongoing monitoring and updates are essential to safeguard against evolving threats from cybercriminals who possess both the dedication and expertise to exploit any potential weaknesses in the application.

One of the primary roles of an application’s security mechanisms is to effectively manage and respond to attacks in a controlled manner. These security measures typically involve a combination of defensive and offensive strategies aimed at minimizing the attacker’s success and providing the application’s administrators with the necessary alerts and evidence regarding the attack. Strategies employed to handle attackers commonly encompass the following:

Handling Errors

While developers strive to thoroughly validate user input, they can’t predict all potential errors, and some unexpected issues are nearly inevitable. Errors stemming from typical user actions are typically discovered and addressed during testing before the application goes live. However, it’s challenging to anticipate all the ways malicious users may exploit the application, so errors are to be expected during attacks. A vital defense is the application’s ability to gracefully handle unforeseen errors, either by recovering from them or presenting appropriate error messages. In a production environment, it’s crucial not to divulge system-generated messages or debug information, as detailed error messages can aid malicious users and faulty error handling might expose sensitive data, creating a vulnerability for data theft. Most web development languages offer robust error-handling capabilities, such as try-catch blocks and checked exceptions. Application code should make extensive use of these constructs to effectively catch and manage errors. Furthermore, application servers can be configured to handle unanticipated errors in customized ways. Effective error handling often integrates with the application’s logging system to record valuable debug information about unforeseen errors, which can be used to enhance the application’s defenses.

Maintaining Audit Logs

Audit logs play a critical role in investigating intrusion attempts within security-sensitive applications, shedding light on incident details, exploited vulnerabilities, unauthorized access, and potentially the identity of the intruder. Security-focused applications routinely log specific key events, including activities related to authentication, significant transactions like payments, blocked access attempts, and requests containing known attack patterns. In some highly secure applications such as online banking systems, every client request is extensively logged for forensic analysis.

Effective audit logs should contain event timestamps, the source IP address, and user account details if authenticated. Protecting these logs from unauthorized access is of utmost importance. A recommended practice is to store them on a separate system that only accepts updates from the main application. In some situations, logs may be written to write-once media to ensure their integrity, even in the event of a security breach.

It’s essential to be aware that poorly protected audit logs can become a valuable resource for attackers, potentially exposing sensitive information like session tokens and request parameters.

Alerting Administrators

Audit logs serve the purpose of looking back and investigating intrusion attempts, potentially leading to legal action against the culprits. However, when dealing with security, immediate actions in response to ongoing attacks are often essential. Taking swift defensive measures can minimize the practical impact of a successful intrusion.

In the realm of real-time security, alert systems must find a balance between reporting genuine attacks effectively and not overwhelming administrators with excessive alerts. Well-designed alert systems rely on various factors to identify determined attacks and consolidate related events into a single alert whenever feasible. The kinds of unusual events that alert systems monitor include anomalies in usage, like a high volume of requests from a single source, unusual business activities such as atypical fund transfers, requests containing known attack patterns, and unauthorized modifications to concealed data.

Commercial off-the-shelf application firewalls and intrusion detection products offer some of these functionalities. They employ a mix of signature- and anomaly-based rules to detect and block malicious application usage while alerting administrators. Nevertheless, these products have their limitations due to the unique nature of each web application. While they excel at spotting obvious attacks, they may struggle with more subtle, application-specific threats.

In the case of security-critical applications, the most effective real-time alerting seamlessly integrates with the application’s input validation and control mechanisms. This approach empowers the application to identify and respond to malicious activity by closely aligning with the specific logic and user behavior expectations of that application. This approach substantially reduces the risk of false positives compared to generic off-the-shelf solutions.

Reacting to Attacks

Security-critical applications often incorporate built-in mechanisms to proactively defend against potentially malicious users. Since each application has its unique characteristics, real-world attacks frequently involve systematic probing for vulnerabilities, where attackers submit multiple requests with crafted input to exploit common vulnerabilities. Effective input validation can identify and block many of these malicious requests, but it’s prudent to assume that some bypasses may exist, and undiscovered vulnerabilities remain.

Hence, some applications automatically take defensive actions to disrupt the activities of systematic attackers. For instance, they might respond slowly to an attacker’s requests or terminate the attacker’s session, forcing them to log in or perform additional steps before continuing the attack. While these measures may not deter the most patient and determined attackers, they effectively discourage casual attackers and provide administrators with extra time to monitor the situation and take more substantial action if necessary.

In the domain of application security, it is essential to be proactive and ready for the constant threat posed by skilled attackers. Prioritizing strong security measures in the initial application design is paramount, along with the capability to respond effectively to security breaches. Audit logs serve a crucial role in post-incident investigations, shedding light on intrusion attempts and possible legal actions. Immediate responses, like blocking attackers and potentially taking the application offline, are vital. To strike a balance between alerting and avoiding information overload, alert mechanisms need to discern genuine threats from background noise and detect patterns indicative of malicious behavior. Moreover, automated defenses can disrupt systematic attackers, while tailoring real-time alerting to the application’s unique logic and user behavior expectations forms a robust security strategy. In summary, security must be an inherent component of the application development process, involving a combination of proactive, reactive, and customized security measures.

Reference:

The web application hacker’s handbook- Finding and exploiting security flaws.

Let’s connect?

LinkedIn: www.linkedin.com/in/ravitejmbandlekar

--

--