By Erwin Friethoff Application security practices and tools can help ensure that embarrassing and costly vulnerabilities are shut out of your website or app.
Almost everything can be done online nowadays, and even some of the oldest professions in the world are modernizing and moving to the Web. Application security is becoming more and more important with the online enablement of all kinds of new services.
Since everyone and everything is online, the Dutch government decided that one of the basics of a modern society — law and order — should be facilitated through online channels as well. For example, when a lawyer wants to start a procedure, he or she can do so digitally. Proponents argued that it was good for speed and better for the environment.
The website has been modernized and, next to publishing court decisions, a lawyer or legal representative can launch a new case and upload the accompanying documents. Since it is run by the government, one would expect that the application security would be top-notch, right?
A Big Team, Lots of Money and an XSS Vulnerability
A new user experience, a new, up-to-date design, case manager tooling — the website had it all. Highly skilled people worked on the site for years, at the cost of millions of euros, so it was expected to be the best and most secure government website yet produced. Think again: Within a couple of days, an ethical hacker found a DOM-based cross-site scripting (XSS) vulnerability
According to OWASP, a DOM-based XSS attack occurs when the payload is executed by changing the DOM environment in the victim’s browser, which causes page code to operate differently.
A DOM-based XSS vulnerability is one of the vulnerabilities named in the OWASP Top 10, a powerful awareness document for Web application security. It represents a broad consensus about what the most critical flaws are — and these vulnerabilities tend to be present in many applications.
How Application Security Could Have Helped
Could this have been prevented? The answer is yes! But what steps should have been taken to ensure that the vulnerability did not exist in the first place?
To enable clients to prevent these kinds of exploits and vulnerabilities, IBM provides the AppScan portfolio. IBM AppScanscans source code and Web applications for vulnerabilities. It reports on known issues, giving advice on how to repair them and how to prevent them from being exploited. The video below shows how the IBM AppScan XSS Analyzer optimizes the success of the scan.