Click here to load reader

  • date post

  • Category


  • view

  • download


Embed Size (px)


President - Product Management for
is responsible for the product and
technology direction of the Cyberoam
product line of Unified Threat
Management appliances and other
experience in developing products
innovators of Cyberoam’s Layer 8
technology that implements the Human
Layer over the theoretical 7 layers of
the network stack. Abhilash’s excellent
grasp of the security industry and
in-depth technical knowledge has been
instrumental in the evolution of the
Cyberoam brand worldwide. A prolific
public speaker, he has addressed
network security forums including
Bulletin (Vienna) and more
As we become dependent on Web applications, the security risks that it is subjected to can pose significant risk to an organization’s IT infrastructure if not managed proactively.
RAPID STRIDES made in web technologies has caused business environment to grow more reliant on the internet. With this, web applications have become quite pivotal in business, customer and government ser- vices. While web applications can present unprecedented capabilities, convenience and efficiency, these benefits are subject to several security threats, which could invite significant risks to an organization’s information technol- ogy infrastructure if not managed proactively.
Business applications for accounting, collabora- tion, customer relationship Management (CRM), Supplier Relationship Management (SRM), Enter- prise Resource Management (ERP), content manage- ment, online banking, E-commerce, and many more, are all available on the web and all of them house valu- able, sensitive data!
Old Weapons Can’t Fight New Threats Any vulnerability in these applications will cause a significant and irreversible monetary loss. Since a long time, organizations have been relying on secu- rity defenses at the network perimeter to safeguard their IT infrastructure. However, traditional network security solutions like the firewall and IPS are nothing beyond “useless old weapons” for the war against Web applications security!
Sophisticated attacks have now transcended TCP/ IP protocols and target potential vulnerabilities in HTTP, HTML and XML protocols, which relates to contemporary distributed web applications. A single URL now encompasses a myriad of applications such as video, email, chat, games, spreadsheets, surveys, P2P file transfer, etc. In addition, business applica- tions interfacing with partners, suppliers and custom- ers such as ERP, CRM, SCM, financial MIS etc are also being delivered over the web. Such enterprise apps use XML-based protocols like SOAP, REST etc and have inestimable complex layers. With such business pro- cesses now being accessed as apps on various devices over the internet, it obviously gives rise to potential new risks that can target and exploit several vulner- abilities in such apps.
The main reason the majority of web application
attacks are successful today is due to the fact that the attackers come in the same way any legitimate user would –all without disturbing the sanctity of RFC’s or W3C standards.
According to the prestigious security analyst firm Gartner, 75% of attacks are directed at the application layer. Moreover, according to the Ponemon Institute, 93% of organizations hacked in the past two years were breached via insecure web applications.
Common Web Application Attacks Cyber criminals persistently devise new ways to gain unauthorized access to web applications, and here are several common methods.
SQL Injection In an SQL injection attack, the attacker gains access to the entire contents of a backend database including identity information by bypassing authentication to gain unau- thorized access. Here, the input validation vulnerabilities are exploited in the application code to send unauthor- ized SQL commands to a back-end database.
Cross-site Scripting Cross-site scripting attacks the application code by exploiting script injection vulnerabilities where malicious HTML tags or client-side scripting code is injected into HTML form fields and a customer’s login credentials redirected to an attacker.
Worms Worms take advantage of vulnerabilities in commer- cial software platforms and operating systems. Code Red, Nimda, and MSBlaster are some examples of worm infections that spread at an astounding rate, sometimes affecting hundreds of thousands of servers within minutes.
URL Parameter Tampering This type of attack involves manipulation of param- eters exchanged between client and server. The attacker alters the URL query string parameter values in the browser’s address bar to change application data
such as user credentials, permissions, and other information.
Cross-site Request Forgery (CSRF) CSRF forces the authenticated user of an applica- tion to send an HTTP request to a target destina- tion, desired by the attacker, without the user’s knowledge or intent. This results into data theft and in case of a full-blown attack, it can compro- mise the entire web application.
OS Command Injection OS Command Injection exploits vulnerabilities that occur during the design and development of applications. In this, the attacker takes advan- tage of an application vulnerability that results in execution of system-level commands.
Session Hijacking Session Hijacking exploits a valid computer ses- sion by stealing or predicting a valid session token and gains unauthorized access to information or services on the Web server.
Web Application Firewalls Today’s advanced threats are targeting security
flaws in the design of Web applications. This has necessitated the development of evolved security measures to be implemented alongside the devel- opment of Web applications. A WAF (Web Appli- cation Firewall) is an appliance or server software add-on that can monitor and block traffic to and from applications. They have become popular in many enterprises, especially those that need to comply with the Payment Card Industry Data Security Standard (PCI DSS).
How a WAF Thwarts Web Application Attacks Web Application Firewalls sit between the Web client and a Web server to analyze OSI Layer 7 messages for violations in the pro- grammed security policy to protect websites and Web applications from attacks. They function bi-directionally by intercepting incoming Layer 7 attacks before reaching the Web server. In addition, they also ana- lyze Web server responses to protect against potential risks of information leakage in organizations. Placed right in front of the Web server, it becomes the last and first stop for information requests to be entertained, as
well as the information delivery process.
Desired Protection for Customers, Value-driven Business Action for VARs VARs should regularly monitor newly developed Web attacks and follow updated products that detect them to provide effective protection. Busi- nesses large and small are now considering Web application security seriously. They understand that business applications are being targeted as the doorway to sensitive data and cyber crimi- nals are exploiting such vulnerabilities to steal or compromise such information. This state of awareness poses a new opportunity for security resellers to provide their customers with better RoI on their investments in security appliances with WAF subscription to extend evolved pro- tection against threats from Web apps.
Moreover, there also exists a segment of industries such as BFSI and Payment Card industry where regulatory requirements are making adoption of Web application firewalls mandatory. Similarly, any industry where sensitive business and customer data is being accessed or delivered through web apps can benefit immensely with WAF.