December 19, 2000, 8:25 AM —
MOUNTAIN VIEW, CALIF. -- Think your electronic commerce site is safe from hackers?
A little demonstration from start-up Perfecto Technologies might convince you otherwise.
Company co-founder Eran Reshef sat down at this reporter's PC, logged on to an e-commerce site and, using only the browser, changed the price of an item by modifying the site's HTML.
A similar demo for Quote.com exposed security holes and lead Quote.com to buy AppShield, a tool Perfecto designed to bullet-proof e-commerce sites.
Reshef came up with the idea for AppShield with his partner, Gil Raanan. Both honed their computer skills as officers with Israeli secret intelligence.
AppShield is an HTTP proxy filter that sits in front of a Web-based e-commerce application. It keep crooks out by refusing to process any bogus character inputs, such as long Common Gateway Interface buffer overflows, that can hijack the server.
AppShield also blocks a trick called "cookie poisoning," in which an attacker alters his Web cookie after he's logged on with a password and ID. This is important because many Web sites rely on a cookie to keep a state of connection with the
e-commerce user after authentication. Once altered, the trickster can take on another identity and use someone else's account, for example.
AppShield can also prevent hackers from changing prices on items added to
e-commerce shopping carts, something that can be surprisingly easy to do with the HTML tools that are part of the Netscape and Microsoft browsers.
Officially shipping this week, AppShield is already winning plaudits from beta testers who have had the chance to kick its tires for a few months.
"We have evidence of the fact that it can work," says Kaj Pedersen, vice president of engineering at Quote. com, a Web site that provides stock quotes, news, research and portfolio management for investors. Pedersen found out about Quote.com's security holes after Perfecto employees hacked the company's Web site in two or three different ways right in front of him.
To prevent break-ins, AppShield analyzes every page generated by the Web server every time it is requested, but before the page gets to the browser. The process adds about 20 milliseconds to the browser-server communication, Reshef says.
AppShield's policy recognition engine expects an application page to be returned as it originated, and AppShield filters out illegal character inputs. If the software senses trouble, AppShield notifies the e-commerce manager through an e-mail or pager alert. The software can also give the would-be Web hacker an error code response or other message.