Securing Web Applications: Defense Mechanisms Kishin Fatnani Founder & Director K-Secure Workshop : Application Security: Latest Trends by Cert-In, 30 th Jan, 2009 1
Agenda Current scenario in Web Application Security Defenses Pros and Cons Web Application Firewall Detection Techniques Protection Techniques DEMO 2
Real life cases
Real life Cases 2.0 20 Source: The Web Hacking Incidents Database [http://webappsec.org/projects/whid/] / t / hid/]
My.BarackObama.com Infects Visitors With Trojan Source: cyberinsecure.com 5
The Most Prevalent Vulnerabilities Source: Web Application Security Consortium (WASC) 6
OWASP Top 10 Vulnerabilities 2007 No. Vulnerability 1 Cross Site Scripting (XSS) 2 Injection Flaws 3 Malicious File Execution 4 Insecure Direct Object Reference 5 Cross Site Request Forgery (CSRF) 6 Information Leakage and Improper Error Handling 7 Broken Authentication and Session Management 8 Insecure Cryptographic Storage 9 Insecure Communications 10 Failure to Restrict URL Access 7
Where is the Web Application? Web Applications Web Server Operating System Network Protocol 8
Perimeter Security Perimeter Firewall Web Server Application Server DB 9
Protection to Web Applications Web Application Attacks Web Applications Attacks: Network, OS, Web Server Attacks Web Server Operating System Network Protocol Security Devices (Firewall / IPS) 10
How to secure Web Applications? Secure coding Developers must be educated on writing secure code that implements proper validations, boundary checks and sanitizes data Testing applications for vulnerabilities Black box and white box testing ti Secure configuration The web server and applications must be securely configured with proper access control and hardening pp Filtering malicious data or restricting legitimate traffic to and from web applications Web Application Firewall
Secure Coding Secure coding is the best way to avoid vulnerabilities in applications However, it will still not be possible to write 100% secure applications Each developer will have to be updated with the newer methods of attacking applications One developer misses a single check and unknowingly creates a vulnerability in the application which may lead to compromise of the entire database
Testing Applications Testing for security vulnerabilities in applications can be done using automated tools and manual assessment methodologies White Box testing can be done to find vulnerabilities in the source code Black Box testing can be done to find vulnerabilities in running applications 13
Testing Applications Vulnerabilities detected in applications testing can be reported to development teams for rectification The time required to test, report and get the problem rectified is very long 14
Automated Tools Assessment Tools Rational Appscan IBM NTOSpider NT Objectives WebInspect HP Hil Hailstorm Cenzic Source Code Analysis AppCodeScan Blueinfy Fortify Fortify Ounce Ounce Labs 15
Secure Configuration Server on which the applications are deployed must be configured securely so that no unauthorized person can access the restricted areas, read the source files or execute commands with root privileges A misconfiguration may weaken the security of a well written secure application 16
Web Application Firewall A Web Application Firewall can compliment a network firewall to further inspect the application traffic and filter out unwanted or malicious data It can work as a virtual patch to vulnerabilities yet to be patched by the developers of an application Attempts to exploit applications can be monitored Can be deployed very quickly and easily 17
Without Application Security Perimeter Firewall Application Server Web Server DB 18
Web Application Firewall Inline Perimeter Firewall Web Application Firewall Application Server Web Server DB 19
Web Application Firewall Out of Line Perimeter Firewall Web Server Application Server Web Application Firewall DB 20
Web Application Firewall Embedded Perimeter Firewall Embedded Web Application Firewall Application Server Web Server DB 21
Some Application Firewalls WebDefend - Breach Security Big-IP - F5 Networks NetScalar Application Firewall - Citrix SecureSphere WAF Imperva Web Application Gateway Barracuda ModSecurity - OpenSource 22
Why WAF? Protecting an application from attacks requires complete knowledge of application communication Firewalls and IDS/IPS s with deep inspection capabilities can understand d the protocols and state information To protect applications it is required for the device to interpret HTML data and session context 23
WAF Detections Positive Security Model Negative Security Model SSL Decryption 24
Security Model Negative Security Model Signatures / Rules are defined to look for and prevent malicious i transactionsti Good for known attacks but needs to be updated whenever a new attack pattern is discovered Easy to configure and out-of-box protection available Allows most applications to run without and customization 25
Security Model Positive Security Model Rules defined for valid and safe transactions Any transaction not matching a rule will be denied Understanding of the application is needed Good for unknown attacks Updates may not be required for newer attacks but changes to applications might require changes to rules 26
SSL Decryption A WAF must be able to inspect the data protected by SSL An embedded d WAF will receive data in cleartext Other types of WAF will require to decrypt the traffic by either Terminating the SSL session on the WAF OR Passively decrypt the traffic using the web server s private key 27
Protection Techniques Brute-Force Protection Detect manual or automated brute force attacks and block or slow down Cookie Protections Sign, encrypt or hide cookies Hidden Form Field Protection Protect from changing Session Management Virtualize session management 28
WAF Vendor Provided Technologies / Features Out-of-box rulesets for OWASP Top 10, PCI- DSS Compliance etc. Application i Profiling / Learning Defect Detection Cloaking 29
Out-of of-box Rulesets Some WAF vendors provide pre-packaged packaged rulesets like: PCI DSS Security rules for complying with the PCI DSS standards OWASP Top 10 Protects applications for the top 10 vulnerabilities as published by OWASP 30
Application Profiling / Learning An application profiling system automatically builds a customized, positive security model for each application to understand its acceptable behaviour The system maps all levels l of application behaviour Learns of any changes made to the application and adjusts the profile 31
Defect Detection A WAF may be able to detect application security defects like: Improper request handling Missing hyperlinks Missing images 32
Cloaking Web servers and applications often leak a lot of information by means of error messages Cloaking gprevents this kind of information leakage by: Translating URLs Re-writing HTTP headers Concealing error messages 33
DEMO Following concerns will be addressed: Buffer Overflows Cross-Site Scripting SQL Injection Other Injections Information Leakage Directory Traversal Protocol Violations 34
Questions Kishin Fatnani Email: kishin@ksecure.net Blog: kishinf.blogspot.com Training enquiry: info@ksecure.net 35