Web Applications Security Overview and AppWall Solution

8/18/2019 Web Applications Security Overview and AppWall Solution

http://slidepdf.com/reader/full/web-applications-security-overview-and-appwall-solution 1/13

Web Applications SecurityOverview and RadwareAppWall Solution

White Paper

November 2008



Web Applications Security Overview and Radware AppWall Solution | White Paper |

Table of Contents

1.

Preface ................................................................................................................. 3

1.1. General ......................................................................................................................... 3

1.2.

Target Audience ........................ ......................... ......................... ......................... ......... 3

2.

Introduction to Web Applications Security ............................................................... 4

2.1.

Web Applications Security Overview................... ......................... ......................... ......... 4

2.2.

HTTP: The Internet Protocol ....................... ........................ .......................... ................. 4

2.2.1. Background on HTTP ..............................................................................................................4

2.2.2. HTTP Methods ........................................................................................................................5

2.3. Security Issues, Hackers and Threats.......................... ......................... ......................... 6

2.3.1. OWASP Top Ten Vulnerabilities Classification .......................................................................6

2.3.2. WASC Web Security Attack Classification ..............................................................................8

2.3.3. Unclassified Application-Layer Attack Types ...........................................................................9

3.

Complete Threat Protection with AppWall ............................................................. 11




1. Preface

1.1. General

Enabling organizational processes and applications for the Internet is a critical

requirement in today‟s business landscape. As a result, strong network level protection

against attacks, such as firewalls and intrusion detection systems, is mandatory in all

enterprise Web Application environments, as such threats impose real risk and high costs.

However, hacking techniques are now designed to legitimately access a Web Application

and attack back-end systems using transactions that appear to be normal. These well

publicized Web “application level” attack techniques cannot be detected by network

firewalls and intrusion detection systems. Web Application attacks pass through

unchecked, enabling access to sensitive information and systems. In addition, since this

entire activity looks like perfectly legitimate Internet traffic, the network security team is

completely unaware of these attacks unless someone happens to notice their effects.This paper provides an overview of Web Application Security and discusses the following

topics:

Introduction to Web Application Security - describes Web Application security,

including an overview of HTTP and its related security issues, hackers and threats

currently at play in the Web Application industry and more

Complete Threat Protection with Radware AppWall - discusses the various

protection techniques provided by AppWall

1.2. Target Audience

This paper is intended for IT professionals who are responsible for the implementation of

a Web Application‟s security policy in their organization. This guide takes the reader

through basic initial steps in order to start working with AppWall to leveraging more

advanced AppWall configurations, depending on the reader‟s requirements.

It is assumed that readers of this guide are familiar with many of the concepts and terms

used throughout the Web Application Security industry.




2. Introduction to Web Applications Security

2.1. Web Applications Security Overview

We at Radware refer to Web Application Security as making use of software and hardware

to protect Web Applications from internal and external threats.

As the tools and technology approaches used to create Web Applications rapidly change,

developers tend to spend more time in implementing these tools and technologies, and

less time implementing security in the application. An application that has been

developed with security in mind minimizes holes and backdoors to the application. These

holes and backdoors leave the application vulnerable to potential hackers.

Security is becoming an increasingly important concern during development asapplications become more frequently accessible over networks and are, as a result,

vulnerable to a wide variety of application-layer threats.

Hacking or attacking Web Applications is a security domain which has no limits as to the

number of methods and techniques that can be used to gain illegal access, manipulate

information, or cause damage to an enterprise. As these methods and techniques

develop, it is our aim to develop means and techniques through advanced technology to

prevent harm to an application.

The following sections provide in-depth information about HTTP, the main protocol used to

deliver files and data across the Internet, as well as information on the known threats,

vulnerabilities and attack types as they are classified today by Security authorities such as

the FBI, SANS (SysAdmin, Audit, Network, Security) Institute, WASC (Web Application

Security Consortium) and OWASP (Open Web Application Security Project).

2.2. HTTP: The Internet Protocol

Hypertext Transfer Protocol (HTTP) is perhaps the most significant protocol used on the

Internet today. Web services, network-enabled appliances and the growth of network

computing continue to expand the role of the HTTP protocol beyond user-driven Web

browsers, while increasing the number of applications that require HTTP support.

2.2.1. Backg rou nd on HTTP

HTTP is the network protocol used to deliver virtually all files and other data (collectively

referred as „resources‟) on the World Wide Web, including HTML files, image files, query

results, or using any other format.

A browser, known as an HTTP client, sends requests to an HTTP server (Web server),

which then sends responses back to the client. HTTP usually takes place over TCP




connections, usually using port 80, though this can be overridden so that another port is

used.

After a successful connection, the client transmits a request message to the server, which

sends a reply message back. The simplest HTTP message is "GET <URL>", to which the

server replies by sending the named document. If the document does not exist, the server

will send an HTML-encoded message stating that.

HTTP is used to transmit resources, not just files. A resource is a chunk of information

that can be identified by a Uniform Resource Locator (URL - resources are the R in URL).

The most common type of resource is a file, but a resource may also be a dynamically-

generated query result, the output of a CGI script, the output of a PHP or any other

dynamic Web scripting language, Java servlets, a document that is available in several

languages, or something else.

2.2.2. HTTP Methods

HTTP defines eight methods (sometimes referred to as "verbs"), indicating the desired

action to be performed on the identified resource, as follows:

HEAD: Asks for the response identical to the one that would correspond to a GET

request, but without the response body. This is useful for retrieving meta-

information written in response headers, without having to transport the entire

content.

GET: Requests a representation of the specified resource. This method is by far

the most common method used on the Web today. „GET‟ should not be used for

operations that cause side-effects (using it for actions in Web Applications is a

common misuse).

POST: Submits data to be processed (for example, from an HTML form) to the

identified resource. The data is included in the body of the request. This may

result in the creation of a new resource or the updates of existing resources or

both.

PUT: Uploads a representation of the specified resource.

DELETE: Deletes a specified resource.

TRACE: Echoes back the received request, so that a client can see which

intermediate servers are adding or changing in the request.

OPTIONS: Returns the HTTP methods that the server supports for specified

Universal Resource Identifier (URI). This can be used to check the functionality of

a Web server by requesting '*' instead of a specific resource.

CONNECT: Converts the request connection to a transparent TCP/IP tunnel,

usually to facilitate SSL-encrypted communication (HTTPS) through an

unencrypted HTTP proxy.




2.3. Security Issues, Hackers and Threats

This section describes the various security issues, hackers and threats that are regularly

monitored by industry communities such as OWASP and WASC, who produce widely

agreed upon best-practice security standards for the World Wide Web.

2.3.1. OWASP Top Ten Vulnerabil i t ies Classif ication

The following provides a description of the OWASP Top Ten:

“The OWASP Top Ten provides a minimum standard for Web Application security. The

OWASP Top Ten represents a broad consensus about what the most critical Web

Application security flaws are. Project members include a variety of security experts from

around the world who have shared their expertise to produce this list. OWASP urge all

companies to adopt the standard within their organization and start the process of

ensuring that their Web Applications do not contain these flaws. Adopting the OWASP TopTen is perhaps the most effective first step towards changing the software development

culture within your organiz ation into one that produces secure code.”

There may be many reasons why your Web Application may be vulnerable to one or more

of the OWASP Top Ten Security flaws. For example:

The Web Application in use by your enterprise may have been created using

different types of technologies and software platforms.

The development personnel in your enterprise might not have had security in mind

while developing the Web Application or may have left backdoors to the

application for maintenance. Furthermore, it is common that the development

personnel have changed jobs or have failed to document the application

structure.

Important note: Your application is not susceptible to attack if it is not vulnerable.

Maintaining the application constantly and keeping up-to-date with vulnerability

information and fixing potential risks in the application must be considered a priority and

not an unpleasant task.

The following table summarizes the Top Ten vulnerabilities in Web Application security as

classified by OWASP:




Vulnerability Class Summary Description

A1 - Cross Site Scripting XSS) The Web Application can be used as a

mechanism to transport an attack to an enduser's browser. A successful attack can disclose

the end user‟s session token, attack the local

machine, or spoof content to fool the user.

A2 Injection Flaws Web Applications pass parameters when they

access external systems or the local operating

system. If an attacker can embed malicious

commands in these parameters, the external

system may execute those commands on

behalf of the Web Application.

A3 Malicious File Execution Code vulnerable to remote file inclusion (RFI)

allows attackers to include hostile code and

data, resulting in devastating attacks, such astotal server compromise. Malicious file

execution attacks affect PHP, XML and any

framework which accepts filenames or files

from users.

A4 Insecure Direct Object Reference A direct object reference occurs when a

developer exposes a reference to an internal

implementation object, such as a file, directory,

database record, or key, as a URL or form

parameter. Attackers can manipulate those

references to access other objects without

authorization.

A5 Cross Site Request Forgery CSRF) A CSRF attack forces a logged-on user‟s

browser to send a pre-authenticated request to

a vulnerable Web Application, which then forces

the user‟s browser to perform a hostile action to

the benefit of the attacker. CSRF can be as

powerful as the Web Application that it attacks.

A6 Information Leakage and

Improper Error Handling

Applications can unintentionally leak

information about their configuration, internal

workings, or violate privacy through a variety of

application problems. Attackers use this

weakness to steal sensitive data, or conduct

more serious attacks.A7 Broken Authentication and

Session Management

Account credentials and session tokens are

often not properly protected. Attackers

compromise passwords, keys, or authentication

tokens to assume other users' identities.




Vulnerability Class Summary Description

A8 Insecure Cryptographic Storage Web Applications frequently use cryptographic

functions to protect information and

credentials. These functions and the code to

integrate them have proven difficult to code

properly, frequently resulting in weakprotection.

A9 Insecure Communications Applications frequently fail to encrypt network

traffic when it is necessary to protect sensitive

communications.

A10 Failure to Restrict URL Access Applications frequently only protect sensitive

functionality by preventing the display of links

or URLs to unauthorized users. Attackers can

use this weakness to access and perform

unauthorized operations by accessing those

URLs directly.

2.3.2. WASC Web Security Attack Classif ication

The Web Security Threat Classification is a cooperative effort to clarify and organize the

threats for the security of a Web site. The members of the Web Application Security

Consortium (WASC) have created this project to develop and promote industry standard

terminology for describing these issues. Application developers, security professionals,

software vendors, and compliance auditors will have the ability to access a consistent

language for web security related issues.

The WASC Threat Classification is broken-down to the following main classes:

1)

Authentication – Authentication threats includes attacks against validation methods

used by Web Applications to validate users, services or applications. The threats that

target the authentication process of Web Applications include the following:

Brute Force Attacks

Insufficient Authentication

Weak Password Recovery Validation

2)

Authorization Authorization threats includes attacks against the methods used by

the Web Application to determine whether the user, service or application has the

required permissions to perform actions. Potential hackers may attempt to

manipulate the Web Application to gain privileges to restricted areas and to performillegal actions. These threats include the following:

Credential/Session Prediction

Insufficient Authorization

Insufficient Session Expiration

Session Fixation




3) Client-Side Attacks Client-side attacks covers a wide range of Web Application

manipulation and abuse. A potential hacker may attempt to utilize the technology

employed when a user connects to a Web Application to attack the user. These

threats include:

Content spoofing

Cross-site scripting

4)

Command Execution These threats involve attacks designed to execute remote

commands on the Web Application. These attacks are generally aimed at user

supplied information, which are used to create commands that result in dynamic web

content. With the process left insecure, an attacker could manipulate the command

execution. These threats include:

Buffer Overflow

Format String Attack

LDAP Injection

OS Commanding

SQL Injection SSI Injection

XPath Injection

5) Information Disclosure - Information Disclosure threats cover attacks designed to

obtain Web Application specific system information. This information usually includes

software distribution, version numbers, patch level, etc. The information may also

include names and location of temp files, backup files and others. This information

may be gathered and used by a potential hacker in order to locate and exploit a

backdoor or unprotected access point to the Web Application. These threats include:

Directory Indexing

Information Leakage

Path Traversal Predictable Resource Location

6)

Logical Attacks Logical Attack threats focus on the possible exploitation of Web

Application logic flow, by a potential hacker. Application logic is a term that describes

the procedure used by the application to perform a specific action. For example,

account registration, recovering passwords, online purchases, etc. A hacker may

bypass a specific process required by the application; hence find a way to damage

users or the application. These threats include:

Abuse of Functionality

Denial of Service

Insufficient Anti-Automation Insufficient Process Validation

2.3.3. Unclass if ied App lication -Layer Attack Types

The following table highlights attack forms that are not classified by any particular

organization, yet they exist. These attack forms may appear as part of any of the above

classifications, or may be a result of a different class completely.




Forms of Attack Brief Description

Parameters Tampering Manipulating elements in the URL sent to a Web site in

order to gain illegal access or unauthorized information.

By manipulating the parameters in the request, a

potential hacker can then navigate and modify its

contents.

Cookie Poisoning Changes the content of cookies from what was originally

set by the application and can forge a cookie with stolen

information.

Database Sabotage Injects various SQL commands to input fields or

messages that affect the regular operation of the

database.

Web Services Manipulation Exploiting vulnerabilities inherent in Web Services

formats, structure, and operations as well as dictionary,

and encoding manipulations.

Stealth Commanding Smuggles command-statements in text fields that will beexecuted within a given layer of the infrastructure.

Debug Options Exploits vulnerabilities left open in internally developed

code by using debug constructs.

Backdoor Uses the privileged/un-referenced access that

applications may provide. These are points of access to

the Web Application that were not intended to be

discovered by un-trusted users. Some backdoors were

intended only to be used during the application

development stage but were never removed when the

application was deployed.

Manipulation of IT

Infrastructure Vulnerabilities

Exploits vulnerabilities in an integrated Internet

environment, such as known patterns and common files

and folders.

3rd-Party Misconfiguration Exploits configuration errors in third-party components,

such as Web and database servers.

Buffer Overflow Attacks Sends large request messages to the application,

attacking either third party or internally developed code.

Data Encoding Sends requests using different data encoding standards

such as Unicode, UTF-8, and UTF-16. Targets variations in

data encoding to pass and execute commands within

specific layers of the operating environment.

Protocol Piggyback Modifies the application protocol structure to includenested commands. Targets variations in protocols to pass

and execute commands within specific layers of the

operating environment.

Cross-Site Scripting XSS) Attacks the end user‟s browser to reveal the end user‟s

session token, attack the local machine or spoof content.




3. Complete Threat Protection with AppWall

This section describes the protection techniques AppWall provides (Security Filters)

against the threats/attacks described in the previous sections.

Filter Name Filter Description Threats Protected Against

Parameters

Security Filter

This filter evaluates parameters sent in

requests against a configured list of

allowed (or not allowed) parameters

configured for pre-defined rules or range.

Parameters Tampering

Unvalidated Input

Buffer Overflow

Data Encoding

Global

Parameters

Security Filter

This filter evaluates request parameter

values by applying specified patterns,

including regular expressions, to qualifying

parameters.


Unvalidated Input

Buffer Overflow

Data Encoding

XML Security

Filter

This filter parses and evaluates the XMLbody structure of requests as well as

values encapsulated within the XML tags.

Parameter names are created using the

full hierarchy of nested tags containing

each value. The created parameters are

evaluated by subsequent parameter-

related Security Filters as defined on the

Application Path level.

Unvalidated Input Buffer Overflow


Web Services

Security Filter

This filter evaluates Web Service requests

and generates an event when the request

violates valid WSDL operations. Valid

operations can be determined by importand examination of the WSDL file.

Unvalidated Input

Buffer Overflow


Web ServicesManipulation

Session Security

Filter

This filter prevents remote users from

modifying the application parameter

values stored in HTML forms, and to

prevent remote users from manipulating

Session state information and submitting

it to the Web Application. The Session

Security Filter also protects Cookies, Path,

Query, and Form parameters.

Broken Access Control

Broken Authentication and

Session Management

Insecure Storage

Authorization

Cookie Poisoning

Allow List

Security Filter

This filter evaluates requests based on a

configured list of valid page and method

requests. Based on the evaluation it

generates an event for any request not

conforming to a configured list of valid

requests or stops the request.


Insecure Configuration

Management

Logical Attacks

3rd Party Misconfiguration

Path Blocking

Security Filter

This filter evaluates requests to access

files and folders on the application based

on a configured list of relative or specific

URLs and generate an event when the


Insecure Configuration

Management

Logical Attacks




request does not match the specified

URLs.

Brute Force

Security Filter

This filter prevents remote users from

attempting to guess the username and

password of an authorized user.

Authentication and

Session Management

Authentication

Database

Security Filter

This filter evaluates request parameters

for harmful SQL command syntax,

command shell attacks, and cross-site

scripting. It generates an event when the

request does not match those specified in

a configured parameters list or stops the

request completely.

Cross Site Scripting (XSS)

Injection Flaws

Client-Sid e Attacks

Command Execution

Database Sabotage

Stealth Commanding

Backdoor

Vulnerabilities

Security Filter

This filter checks requests for known

vulnerability patterns based on a

deterministic set of rules and generates

an event when a vulnerability pattern is

detected. The user can also create custompatterns to generate events.

Cross Site Scripting (XSS)

Injection Flaws

Client-Side Attacks

Command Execution

Logical Attacks

Stealth Commanding

Debug Options

Backdoor

Manipulation of IT

Infrastructure

Vulnerabilities

Safe Reply

Security Filter

This filter evaluates outbound replies for

the presence of sensitive information such

as credit cards and Social Security

numbers.

Improper Error Handling,

Information Disclosure

Files Upload

Security Filter *

This filter evaluates uploads andgenerates an event when the request

does not conform to the configured

specification for upload locations, file

extensions, and file retrievals.

Although not protectingagainst specific threats

previously mentioned in this

chapter, add an extra

dimension to the Enterprise

securityHTTP Methods

Security Filter *

This filter evaluates HTTP request

methods and generates an event when

the request methods do not conform to

the configured list of allowable methods.

Logging Security

Filter *

This filter provides logging capabilities for

both incoming and outgoing HTTP traffic

and specifies log contents, location, size,

and other properties.

For further information on working with AppWall Security Filters, please refer to the

Security Filters section of the AppWall Management Application online help.




Additional information is available on AppWall‟s page on Radware Web site at

www.radware.com.

© 2008 Radware, Ltd. All Rights Reserved. Radware and all other Radware product and service names are registered trademarks

of Radware in the U.S. and other countries. All other trademarks and names are the property of their respective owners. Print ed

in the U.S.A.

http://www.radware.com/



Web Applications Security Overview and AppWall Solution

Documents

Transcript of Web Applications Security Overview and AppWall Solution