Internet security has been of concern for quite some time. Of particular concern is Web application security and preventing end users from stealing or modifying data stored in Web servers or in locations associated with Web servers. Historically, to obtain access to the data, attacking end users (hereafter, attackers) would find network vulnerabilities in the Web server and capitalize on such vulnerabilities. Web server security has increased significantly, resulting in attackers seeking access to Web server data in different ways. New trends in security have long enlarged network penetration testing practices to spaces, such as, but not limited to, Web applications, wireless devices, voice over IP (internet protocol) products, and other fields.
One area of particular interest to attackers is Web application security. Specifically, attackers presently use vulnerabilities in Web applications to obtain access to Web server data, resulting in the attackers being able to steal or manipulate the data. For exemplary purposes, FIG. 1 is provided, which is a schematic diagram illustrating an example of a prior art network 10. As shown by FIG. 1, the network 10 contains an attacker computer 20 that is used by an attacker to interact with the network 10 and gain access to data within a Web server 30. The attacker computer 20 has a Web browser application 22 stored therein, where the Web browser application 22 is capable of communicating with a target Web application 32 stored within the Web server 30. The attacker computer 20 is capable of connecting to the Web server 30 via the Internet 40 or a local area network. Access to the Web server 30 may be controlled by a firewall 42, which may be either a software application stored at the Web server 30 or a separate device.
As mentioned above, the Web server 30 has a target Web application 32 stored therein. The target Web application 32 controls access to a database management system 50 through SQL queries or other manners. Data associated with the target Web application 32 is stored within the database management system 50 in tables that are located within a database of the database management system 50.
As mentioned above, the modern and typical development techniques invariably insert security vulnerabilities in Web applications that can be exploited by Web users (attackers) that connect to these Web applications (e.g., through the Internet). As a result of these exploits, an attacker could access private information that is located in the Web servers (e.g., credit card databases), or modify the information displayed by these Web applications. Such modification can be used for purposes of defacing the underlying Web application, thus creating a denial of service to standard users and damaging the public image of the owner of the Web application. In addition, the modification may be used to attack other Web users of this Web application (that trust the content displayed by the Web application). Although the latter is one of the so-called client-side exploits, it also shows a vulnerability in the Web application landscape. Hence, these types of attacks can be used to test both client security and Web application security.
These attacks are performed by attackers that pass themselves as standard Web users that go outside the standard procedure in their interaction with the Web application, typically inserting specially-crafted data in Web entries, which results in them having new capabilities that are not contemplated in the Web application design. For example, referring to one type of application attack, among many, an SQL-injection attack can be realized by an attacker that accesses a Web application and types an SQL command, when in fact, a user of the Web application should be typing his name, or telephone number. This SQL command Web entry is not checked and sanitized by the Web application, and it is passed to the database management system, which executes this command, when in fact, no Web user should be able to execute database commands.
Thus, a heretofore unaddressed need exists in the industry to test for and address the aforementioned deficiencies and inadequacies.