Review: 'Hacker-In-A-Box' Tool Tests Attack Scenarios

Hailstorm's unique non-signature based technology interprets results during realtime attacks without comparing results with signature-based databases. The tool's interpreting engine eliminates false positives by providing generic solutions to attacks.

What's more, Hailstorm doesn't focus on any specific vendor's technology, since it uses generic scripts to attack different kinds of applications. Santa Clara, Calif.-based Cenzic provides all the source code for its attacks so that anyone can copy them and create their own scenarios.

Today, most hacking is financially driven and well-organized, with attacks launched to steal information from banks, financial services firms and online retailers. With banks, for instance, hackers working with inside employees or identifying weak application exploits have been known to set up temporary offshore accounts to siphon tiny amounts from many of accounts. Banks and consumers usually don't notice such attacks right away because of the small amounts being transferred.

Another typical attack is a temporary price change on products sold online. These hackers penetrate e-commerce sites through cookie exploits and SQL injection-type attacks to alter the price of online goods before buying them. For example, an item that costs $5,000 can be changed to $50 and then purchased with stolen credit cards and quickly shipped to hard-to-track addresses.

Stealing customer information is the most common attack, since it can be done with simple SQL-injection scripts to retrieve complete database tables. That data often is used to get credit cards and other forms of identification.

Other common attacks for which Hailstorm provides scripts include hijacking session IDs, phishing, buffer overflows and reverse engineering. The tool also includes a Web services module that runs separately from the main scripting engine.

Hailstorm integrates with Mercury's Quality Center so that QA testers can launch Hailstorm directly and get results back into the same console. Hailstorm can run on the command line, allowing it to be integrated into any application-scripting language or any language that can execute programs from the command line.

With the arrival of Web 2.0 and Ajax, new vulnerabilities are popping up at the client level. If written incorrectly, Ajax code provides windows into server-side code and databases. To identify holes, developers must revalidate Ajax code at the server level before finalizing transactions. Essentially, Ajax creates the same types of vulnerabilities as server-based Web applications, but they're more magnified because more code is exposed at the client side, with less validation done at the server side.

Cenzic promotes a "divide and conquer" methodology, in which security administrators make critical decisions on how to test applications during development and QA testing. Developers and QA testers must follow security testing guidelines given to them by security experts. Once applications get into the QA process, security administrators can select the attacks necessary to audit final code.

Although organizations such as the InfoSec Institute are slowly making progress by providing training in the realm of "ethical" hacking, most companies are still far behind, mainly because of a lack of resources. Most developers are extremely pressed for time in getting applications to market, so security issues often take a back burner.

According to Cenzic, if security measures are placed in a development life cycle, IT managers and developers then are obligated to look for flaws, which drains resources and man-hours from other projects. In the meantime, about 75 percent of Web attacks are happening at the application layer, Cenzic said.

Small commercial software vendors, ISPs and ASPs are in a similar situation. The only security strategy promoted by ASPs and ISPs deals with providing firewall and SSL support to applications, leaving application logic completely out of their security infrastructure.

Cenzic claims that encrypting data doesn't always work. Data encryption provides limited access, but in the end, users who need access override those methods to interact with data sources. Without strong logic boundaries, hackers will always be able to snoop and gain access to confidential information.

Hailstorm performs application logic and vulnerability tests, and it looks for regulatory compliance issues in applications. The tool also comes with various infrastructure tests to search for server vulnerabilities. Cenzic provides weekly updates to Hailstorm customers so they can test code against the latest known attack scripts.

In addition to Hailstorm, Cenzic offers two ASP models to simplify remote testing and QA for customers that don't have the resources in-house. Cenzic's ClickToSecure ASP program allows system integrators to manage the service themselves or allow Cenzic to manage it for them.