GOING WHERE NO WAFS HAVE GONE BEFORE

Similar documents
Solutions Business Manager Web Application Security Assessment

OWASP Top 10 The Ten Most Critical Web Application Security Risks

OWASP Top David Caissy OWASP Los Angeles Chapter July 2017

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

Web Application Security. Philippe Bogaerts

SECURITY TESTING. Towards a safer web world

OWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP

OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati

Web Application Penetration Testing

Integrated Web Application Firewall (WAF) & Distributed Denial Of Service (DDoS) Mitigation For Today s Enterprises

Certified Secure Web Application Engineer

The Top 6 WAF Essentials to Achieve Application Security Efficacy

Cyber Attacks and Application - Motivation, Methods and Mitigation. Alfredo Vistola Solution Architect Security, EMEA

Application vulnerabilities and defences

C1: Define Security Requirements

Your Turn to Hack the OWASP Top 10!

Defend Your Web Applications Against the OWASP Top 10 Security Risks. Speaker Name, Job Title

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:

Excerpts of Web Application Security focusing on Data Validation. adapted for F.I.S.T. 2004, Frankfurt

OWASP Top 10. Copyright 2017 Ergon Informatik AG 2/13

Applications Security

COMP9321 Web Application Engineering

OWASP TOP 10. By: Ilia

Welcome to the OWASP TOP 10

Penetration Testing following OWASP. Boyan Yanchev Chief Technology Ofcer Peter Dimkov IS Consultant

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

Copyright

Application. Security. on line training. Academy. by Appsec Labs

Featuring. and. Göteborg. Ulf Larson Thursday, October 24, 13

Security

Evaluation Criteria for Web Application Firewalls

Andrew Muller, Canberra Managing Director, Ionize, Canberra The challenges of Security Testing. Security Testing. Taming the Wild West

86% of websites has at least 1 vulnerability and an average of 56 per website WhiteHat Security Statistics Report 2013

F5 comprehensive protection against application attacks. Jakub Sumpich Territory Manager Eastern Europe

Web Application Vulnerabilities: OWASP Top 10 Revisited

Ethical Hacking and Countermeasures: Web Applications, Second Edition. Chapter 3 Web Application Vulnerabilities

Web 2.0 and AJAX Security. OWASP Montgomery. August 21 st, 2007

Application security : going quicker

Sichere Software vom Java-Entwickler

CSWAE Certified Secure Web Application Engineer

Web Applications Security. Radovan Gibala F5 Networks

Using the Cisco ACE Application Control Engine Application Switches with the Cisco ACE XML Gateway

OWASP Thailand. Proxy Caches and Web Application Security. OWASP AppSec Asia October 21, Using the Recent Google Docs 0-Day as an Example

COMP9321 Web Application Engineering

Kishin Fatnani. Founder & Director K-Secure. Workshop : Application Security: Latest Trends by Cert-In, 30 th Jan, 2009

Advanced Web Technology 10) XSS, CSRF and SQL Injection

Content Security Policy

PEACHTECH PEACH API SECURITY AUTOMATING API SECURITY TESTING. Peach.tech

DEFENSIVE PROGRAMMING. Lecture for EDA 263 Magnus Almgren Department of Computer Science and Engineering Chalmers University of Technology

WHY CSRF WORKS. Implicit authentication by Web browsers

SOLUTION BRIEF. Enabling and Securing Digital Business in API Economy. Protect APIs Serving Business Critical Applications

OWASP TOP OWASP TOP

TIBCO Cloud Integration Security Overview

F5 Application Security. Radovan Gibala Field Systems Engineer

Web Application Firewall

F5 Big-IP Application Security Manager v11

Engineering Your Software For Attack

Application Layer Security

Web Application Attacks

Notes From The field

epldt Web Builder Security March 2017

Hacker Attacks on the Horizon: Web 2.0 Attack Vectors

WEB SECURITY WORKSHOP TEXSAW Presented by Solomon Boyd and Jiayang Wang

Application Security Introduction. Tara Gu IBM Product Security Incident Response Team

1 About Web Security. What is application security? So what can happen? see [?]

INF3700 Informasjonsteknologi og samfunn. Application Security. Audun Jøsang University of Oslo Spring 2015

Managed Application Security trends and best practices in application security

SOLUTION BRIEF CA API MANAGEMENT. Enable and Protect Your Web Applications From OWASP Top Ten With CA API Management

CHAPTER 8 CONCLUSION AND FUTURE ENHANCEMENTS

Computer Security 3e. Dieter Gollmann. Chapter 18: 1

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

KEEPING THE BAD GUYS OUT WHILE LETTING THE GOOD GUYS IN. Paul Deakin Federal Field Systems Engineer

Secure Development Guide

Application Security. Doug Ashbaugh CISSP, CISA, CSSLP. Solving the Software Quality Puzzle

Identiteettien hallinta ja sovellusturvallisuus. Timo Lohenoja, CISPP Systems Engineer, F5 Networks

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:

"Charting the Course to Your Success!" Securing.Net Web Applications Lifecycle Course Summary

RKN 2015 Application Layer Short Summary

01/02/2014 SECURITY ASSESSMENT METHODOLOGIES SENSEPOST 2014 ALL RIGHTS RESERVED

BIG-IP Application Security Manager : Implementations. Version 13.0

Web Application Threats and Remediation. Terry Labach, IST Security Team

En partenariat avec CA Technologies. Genève, Hôtel Warwick,

Aguascalientes Local Chapter. Kickoff

Information Security CS 526 Topic 8

Attacks Against Websites. Tom Chothia Computer Security, Lecture 11

Providing Secure, Fast and Available

Inverting Risk Management for Ethical Hacking. SecureWorld Expo 09

Curso: Ethical Hacking and Countermeasures

CNIT 129S: Securing Web Applications. Ch 3: Web Application Technologies

Presentation Overview

PROBLEMS IN PRACTICE: THE WEB MICHAEL ROITZSCH

Herding Cats. Carl Brothers, F5 Field Systems Engineer

Development Security Guide Oracle Banking Virtual Account Management Release July 2018

Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition. Chapter 3 Investigating Web Attacks

EasyCrypt passes an independent security audit

BIG-IP Access Policy Manager : Secure Web Gateway. Version 13.0

Preparing for the Cross Site Request Forgery Defense

CSCD 303 Essential Computer Security Fall 2017

Transcription:

GOING WHERE NO WAFS HAVE GONE BEFORE Andy Prow Aura Information Security Sam Pickles Senior Systems Engineer, F5 Networks NZ

Agenda: WTF is a WAF? View from the Trenches Example Attacks and Mitigation Methods

WTF is a WAF?

Surely not another security technology? We already have: Intrusion Prevention, Firewalls, Strong Authentication, Patch Management Vulnerability Scanning VPN Antivirus DDoS mitigators...

Virtually every organisation has vulnerabilities 8 out of 10 websites vulnerable to attack - WhiteHat security report 97% of websites at immediate risk of being hacked due to vulnerabilities! 69% of vulnerabilities are client side-attacks 75 percent of hacks happen at the application. - Web Application Security Consortium - Gartner Security at the Application Level 64 percent of developers are not confident in their ability to write secure applications. - Microsoft Developer Research

WAFs are a bit different They are ONLY for web applications and web services Securing vulnerable web applications is not easy for a product to deliver Impossible for a jack of all protocols security box

In front of the application: Vulnerabilities Exploitable Here Virtual Patch goes here

Application Protection Strategy Ideally there should be no vulnerabilities in the first place... However: Difficult to enforce; especially with thirdparty code Code changes may be a slow path to remediation, or impossible More secure coding requires more skill and time (cost) Some attack mitigation requires features developed within each application expensive. Best Practice Design Methods Web Apps WAF Automated & Targeted Testing Toolkit to improve security not silver bullet Provides remediation, protection, visibility Real-time 24 x 7 protection Management is important but need not be onerous Often the shortest path to remediation Should be done regularly ideally daily Scanning technology must be continually evolving Multiple tools gives greater coverage Operator skill the most important element Human penetration testing still required

Who is responsible for application security? Web developers? Network Security? Engineering services? DBA?

Developers are asked to do the impractical... Application Security? Application Patching Application Development Application Scalability Application Performance

How long to resolve a vulnerability? Website Security Statistics Report

Challenges of traditional network solutions (FW, IPS) HTTP attacks are valid requests HTTP is stateless, application is stateful Web applications are unique there are no IPS signatures for YOUR web application Good protection has to have session context and awareness Encrypted traffic facilitates attacks Organizations are living in the dark missing tools to expose/log/report HTTP attacks

Why Not Fix the Code? Sometimes: End of Life applications may not warrant the investment Third Party Code may not be available to fix Developers have moved on, organisation lacks the resource Platform and system dependencies prevent code fix or patch Developers asked to focus on new strategic initiatives Patching old apps is sunk cost Building new apps is business growth

we NEED WAFs to work sla.ckers.org XSSed.com

An IT or Business Risk?

Pre-Conceived Perception No silver bullet Can always be bypassed by a skilled attacker No replacement for good code Only need one for PCI Compliance Item 6.6 Install a web-application firewall in front of publicfacing web applications

The Eye Opener Customer with very broken app (developed overseas) Broken Auth All data and feature restrictions on the client All data validation on the client Advanced WAF able to patch all features

All of the Top 10? Injection: SQL, OS & LDAP Injection XSS (Cross-site Scripting) Broken Auth. & Session Management Direct Object Reference XSRF (Cross-site Request Forgery) Security Misconfiguration Poor Crypto Unrestricted URL access Insufficient Transport Layer Protection Unvalidated Redirects and Forwards

The Easy Bits Injection: SQL, OS & LDAP Injection XSS (Cross-site Scripting) Direct Object Reference XSRF (Cross-site Request Forgery) Unrestricted URL access Insufficient Transport Layer Protection Unvalidated Redirects and Forwards

SQL Injection

SQL Injection

Security Evasion using Encoding: Basic SQL Injection via URI parameter: ' or 1=1 or ' Encoded version: %27%20%6f%72%20%31%3d%31%20%6f% 72%20%27

Evasion using Inline Comments: '/*comment*/ or/*comment*/ 1=1/*comment*/ or/*comment*/ '

Encoding and Commenting together: Encoded, commented version: %27%2f%2a%63%6f%6d%6d%65%6e%74%2a%2f %20%6f%72%2f%2a%63%6f%6d%6d%65%6e%7 4%2a%2f%20%31%3d%31%2f%2a%63%6f%6d% 6d%65%6e%74%2a%2f%20%6f%72%2f%2a%63 %6f%6d%6d%65%6e%74%2a%2f%20%27

Encoding and Commenting Together:

Signature Matches on Decoded Request:

Not So Easy Bits...

Not so Easy Bits Broken Auth. & Session Management Security Misconfiguration Exposed Web Services And Business Logic Flaws

Authorisation Data Acess All data is returned to the client app Client only shows restricted data if you re allowed to see it

Server Response Scrubbing Parse outgoing data set Match user identity and group with content Remove unauthorised Records from XML Return only authorised data

Broken Auth and Session Management

Log In as One User...

View Another User s Data:

View Everyone s Data:

Dynamic Parameter Server sends out parameters Form fields, URI parameters in links, Cookies, etc WAF will parse and sign these in a cookie Inbound requests must present valid signature Any value is OK, as long as it is YOUR value Server must have supplied the parameter value within your session Can t be changed on the client side

Blocking Response

Exposed Web Services

Unauthorised Method Access App relies on Client side validation Back end methods all open

Authorisation for Method Access XML Firewalls provide this function Client Identity and Role may be used to disallow Method Access VLAN or IP address, ID, Device type, etc

Business Logic Flaws

Advanced Mitigation Authentication and Authorisation Wrapper Auth proxy 2 factor Certificate, Kerberos, Forms based, NTLM, etc Response Modification EXIF tag XSS example CSRF token example Enforcing Order of Events ( Flow ) Full request and response parsing and modification Session awareness with session principles Programmable framework used to mitigate app-specific cases

Responsive Actions: Drop Request Log, Email, SNMP trap Respond with Blocking content HTML Security warning Link to email administrators in case of issues SOAP Fault for web services Javascript injection for AJAX Honeypot silent redirect Query the client a bit further Browser or Robot? Send back Javascript to test client before trusting session Your ideas here...?

Questions

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback