VESARiA Network Security Specialists
About Vesaria Services Consulting Partners Research Customers Contact Us

Web Application Security

Web App Security Model



July 3, 2002

    A VESARiA security consultant hangs up the phone.  He had just reported the critical results of a preliminary test of the web application software used to power one of the leading e-commerce sites.

    Within minutes of the test's commencement, he had been able to gain access to proprietary information.  How? His first step was to input "trigger data" - data likely to cause errors - into one of the forms on the site.  The form used JavaScript to disallow invalid data before submission, but the analyst easily bypassed that by disabling JavaScript in his browser.  The server responded with error messages and a HTTP Redirect to a different page.  But the analyst had already set his system to catch the error messages before being redirected.

    Looking carefully at the error messages, the analyst noticed certain directory and file names mentioned in them.  Figuring he was on a roll, the analyst pieced them together to come up with a URL, and entered it into his browser.   Boom! There were the contents of the file, revealing sensitive information.  The file was never intended to be served over the web - it was intended to be used only by the server's software.  But it was nonetheless located within the webroot, and was thus accessible to anyone who could determine its name and location.  Within minutes, he had penetrated the system.

    Wasting no time, the analyst immediately contacted the client.  The client was, to say the least, flabbergasted by this news.  In light of the gravity of the situation, VESARiA's analyst recommended a complete overhaul of the software, integrating security from the ground up.

VESARiA's Solution:  Preventive Security and Education

    Over the next few months, VESARiA lead the companies IT staff through overhauling their server's software.  First, VESARiA went over the source code (see Web Application Security Analysis), highlighting five major areas that needed change.  Then, working in close contact with the company's programmers, VESARiA developed a security model for the web application.  VESARiA educated the company's staff in the relevant aspects of security, enabling them to produce secure web applications from the start.

The Results: Secure Web Applications

    Within months, the company was ready to redeploy their secured web application.  It featured a proactive, redundant security model, and was more efficient and streamlined as well.  Most importantly, the education the staff received ensured the future security of the company's web applications from the start.

Vesaria, LLC

© 2000 - 2018 Vesaria Network Security Specialists        
   About Vesaria   |   Legal   |   Privacy   |   Contact