New tool blocks wily e-comm hacker tricks –

MOUNTAIN VIEW, CALIF. -- Think your electronic commerce site is safe from hackers?

A little demonstration from start-up Perfecto Technologies might convince you otherwise.

Company co-founder Eran Reshef sat down at this reporter's PC, logged on to an e-commerce site and, using only the browser, changed the price of an item by modifying the site's HTML.

A similar demo for exposed security holes and lead to buy AppShield, a tool Perfecto designed to bullet-proof e-commerce sites.

Reshef came up with the idea for AppShield with his partner, Gil Raanan. Both honed their computer skills as officers with Israeli secret intelligence.

AppShield is an HTTP proxy filter that sits in front of a Web-based e-commerce application. It keep crooks out by refusing to process any bogus character inputs, such as long Common Gateway Interface buffer overflows, that can hijack the server.

Clean cookies AppShield also blocks a trick called "cookie poisoning," in which an attacker alters his Web cookie after he's logged on with a password and ID. This is important because many Web sites rely on a cookie to keep a state of connection with the

e-commerce user after authentication. Once altered, the trickster can take on another identity and use someone else's account, for example.

AppShield can also prevent hackers from changing prices on items added to

e-commerce shopping carts, something that can be surprisingly easy to do with the HTML tools that are part of the Netscape and Microsoft browsers.

Officially shipping this week, AppShield is already winning plaudits from beta testers who have had the chance to kick its tires for a few months.

"We have evidence of the fact that it can work," says Kaj Pedersen, vice president of engineering at Quote. com, a Web site that provides stock quotes, news, research and portfolio management for investors. Pedersen found out about's security holes after Perfecto employees hacked the company's Web site in two or three different ways right in front of him.

Page watching

To prevent break-ins, AppShield analyzes every page generated by the Web server every time it is requested, but before the page gets to the browser. The process adds about 20 milliseconds to the browser-server communication, Reshef says.

AppShield's policy recognition engine expects an application page to be returned as it originated, and AppShield filters out illegal character inputs. If the software senses trouble, AppShield notifies the e-commerce manager through an e-mail or pager alert. The software can also give the would-be Web hacker an error code response or other message.

In general, preventing hacker exploits requires the e-commerce application to be rigorously designed and reviewed by security experts. But this is a luxury not all

e-commerce operations can afford.

Instead, e-commerce sites are often rushed into production for competitive reasons. But Perfecto's founders think their application security proxy can protect sites that have not been designed with such rigor.

"This is for brokerages, airline companies, phone companies, retailers, financial institutions and online pharmacies," Rashef says. "It's for newspapers, analysts and TV stations."

AppShield, which costs $20,000, willl be just the first product from Perfecto. Reshef says the start-up plans to announce other security tools in the next few months.

ITWorld DealPost: The best in tech deals and discounts.
Shop Tech Products at Amazon