application security  e-security  IDS  information security  snort

IDS Fails with Web Application Attacks

A simple signature check on content fails miserably on web attacks because the new line of attacks are targeted on business logic in an application. It may be very simple to spot a virus on the network by checking its signature against the database of signatures but such is not the case with an XSS attack, or an SQL Injection attack, for that matter. A plain SQL Injection attack may use the condition of 1=1 which signifies true, but then 2=2 and (3*5) = (3*5) also hold true.

Secondly, a Cross Site Request Forgery or CSRF attack misuses the trust a site places on a browser and the fact that a user click on an unwarranted link. How on earth will an IDS ever detect whether the trust levels and the loyalty factors are compromised. Further, an attack like phishing is caused mainly due to human error and foolishness. The IDS here, in no way can communicate to the user to be smart and intelligent and not click on a certain link.

The IDS raises almost no alarms for most of the OWASP top 10 attacks. The reason being, that the IDS does not investigate if the username and password are encrypted. Similarly, it does not deal with authentication and authorization issues. The problems of bad authentication schemas and information leakage are above the HTTP protocol and they occur due to programmer’s lack of knowledge. These problems are solvable only with code review and human intelligence.

Therefore, it is completely baseless to believe that an IDS implementation will secure the company infrastructure from all application and web application attacks because these attacks happen largely due to human failure. The user is generally technically illiterate on an average and the attacker is technically far superior to the programmer. This becomes a social issue and not an IDS issue.