The Weakest Link in the Chain of WebApp Security by Matt

It’s you. You (the human) are the weakest link. Especially when it comes to web application security. As developers, we must pay attention to application security as if our lives depend on it.. a simple 7-character MySQL injection can indeed ruin our day. From the client side, whether or not we know it, we expect the applications we use to be secure, use modern encryption, employ proper session management, [etc] and be a web bouncer while we are using it. Yet, while data encryption has continually evolved since times of Julius Caesar, computers since ENIAC, humans remain gullible and void of social firewalls.

This is why we call it social engineering, and in the world of application security, the more human manipulation and error there is (or could be), the weaker the entire system. Let’s try breaking into someone’s bank account, both the techy way, then try exploiting the human element.

Techy Way

First, let’s see if the login form properly escapes and validates the inputs, maybe we can do some simple injection. Damn, they know about SQL injection. Next check if there are holes in the system to hijack cookies, or maybe we can brute force the credentials with a dictionary algorithm and a couple servers. Yikes, encrypted cookies, random hash tokens for form validation, and now they are blocking our IP’s because of so many persistent requests. Let’s go for one last thing, let’s put 3-4 thousand characters into a POST or GET request, and see if we can make any exploits from the returned error codes.. Nope, they trim all their inputs to 40 chars before ever processing them. Looks like the script kiddies (bottom of the bin) hackers are stuck.

Human Way

I know a guy down the street who is loaded, his name is John Doolittle. I search for him on Google, find that he is Director of Marketing at www.MarketingFirmABC.com. Then I search the last name in Facebook, and find his wife’s profile, which she publicly posts her email address. I buy the domain www.MarketingFirm-ABC.com, setup a redirect to www.MarketingFirmABC.com, just in case anyone checks. Then I make an email address for myself “john@marketingfirm-abc.com”, including all the headers so the name comes up pretty. You see where this is going.. I email Mrs. Doolittle “Hi Hun, could you resend me our bank acct logins? Must have thrown that sticky note out! -XO”. Give it an hour and unless she is hip to that faulty dash in your email address, you will have bank logins from her, probably with “Sent from my iPhone” at the bottom. You scrap the domain, and access the account from an offshore IP. This is otherwise known as phishing, and while an “old” technique, it still is a common exploit.

Solution = Education

This is kind of scary, but we see that no matter how hard we try to add more layers of security to our application, the weakest link may very well be with the end-user. With this in mind, it’s our responsibility as developers to not only take care of the tech stuff, but to hold the users hand a bit, and unobtrusively educate them about the subtle security risks. Just imagine how many passwords could be retrieved if someone had access to your main email account, or how many they could get by doing some simple “I forgot my password” submissions. Just another day of cautiously embracing the web.

Our privacy policy: With knowledge comes power, use it wisely and in positive ways. For more information about web application security visit OWASP (Open Web Application Security Project).