Web Application Security With AppWall

Published on June 2016 | Categories: Types, Presentations | Downloads: 30 | Comments: 0 | Views: 238
of 13
Download PDF   Embed   Report

Web Application Security With AppWall

Comments

Content

Web Applications Security
Overview and Radware
AppWall Solution
White Paper

November 2008

Table of Contents

1.

2.

Preface ................................................................................................................. 3
1.1.

General ......................................................................................................................... 3

1.2.

Target Audience ............................................................................................................ 3

Introduction to Web Applications Security ............................................................... 4
2.1.

Web Applications Security Overview.............................................................................. 4

2.2.

HTTP: The Internet Protocol .......................................................................................... 4

2.2.1.

Background on HTTP ..............................................................................................................4

2.2.2.

HTTP Methods ........................................................................................................................5

2.3.

3.

Security Issues, Hackers and Threats............................................................................ 6

2.3.1.

OWASP Top Ten Vulnerabilities Classification .......................................................................6

2.3.2.

WASC Web Security Attack Classification ..............................................................................8

2.3.3.

Unclassified Application-Layer Attack Types ...........................................................................9

Complete Threat Protection with AppWall ............................................................. 11

Web Applications Security Overview and Radware AppWall Solution

|

White Paper

|

Page 2

1. Preface
1.1. General
Enabling organizational processes and applications for the Internet is a critical
requirement in today‟s business landscape. As a result, strong network level protection
against attacks, such as firewalls and intrusion detection systems, is mandatory in all
enterprise Web Application environments, as such threats impose real risk and high costs.
However, hacking techniques are now designed to legitimately access a Web Application
and attack back-end systems using transactions that appear to be normal. These well
publicized Web “application level” attack techniques cannot be detected by network
firewalls and intrusion detection systems. Web Application attacks pass through
unchecked, enabling access to sensitive information and systems. In addition, since this
entire activity looks like perfectly legitimate Internet traffic, the network security team is
completely unaware of these attacks unless someone happens to notice their effects.
This paper provides an overview of Web Application Security and discusses the following
topics:


Introduction to Web Application Security - describes Web Application security,
including an overview of HTTP and its related security issues, hackers and threats
currently at play in the Web Application industry and more



Complete Threat Protection with Radware AppWall - discusses the various
protection techniques provided by AppWall

1.2. Target Audience
This paper is intended for IT professionals who are responsible for the implementation of
a Web Application‟s security policy in their organization. This guide takes the reader
through basic initial steps in order to start working with AppWall to leveraging more
advanced AppWall configurations, depending on the reader‟s requirements.
It is assumed that readers of this guide are familiar with many of the concepts and terms
used throughout the Web Application Security industry.

Web Applications Security Overview and Radware AppWall Solution

|

White Paper

|

Page 3

2. Introduction to Web Applications Security
2.1. Web Applications Security Overview
We at Radware refer to Web Application Security as making use of software and hardware
to protect Web Applications from internal and external threats.
As the tools and technology approaches used to create Web Applications rapidly change,
developers tend to spend more time in implementing these tools and technologies, and
less time implementing security in the application. An application that has been
developed with security in mind minimizes holes and backdoors to the application. These
holes and backdoors leave the application vulnerable to potential hackers.
Security is becoming an increasingly important concern during development as
applications become more frequently accessible over networks and are, as a result,
vulnerable to a wide variety of application-layer threats.
Hacking or attacking Web Applications is a security domain which has no limits as to the
number of methods and techniques that can be used to gain illegal access, manipulate
information, or cause damage to an enterprise. As these methods and techniques
develop, it is our aim to develop means and techniques through advanced technology to
prevent harm to an application.
The following sections provide in-depth information about HTTP, the main protocol used to
deliver files and data across the Internet, as well as information on the known threats,
vulnerabilities and attack types as they are classified today by Security authorities such as
the FBI, SANS (SysAdmin, Audit, Network, Security) Institute, WASC (Web Application
Security Consortium) and OWASP (Open Web Application Security Project).

2.2. HTTP: The Internet Protocol
Hypertext Transfer Protocol (HTTP) is perhaps the most significant protocol used on the
Internet today. Web services, network-enabled appliances and the growth of network
computing continue to expand the role of the HTTP protocol beyond user-driven Web
browsers, while increasing the number of applications that require HTTP support.
2.2.1.

Background on HTTP

HTTP is the network protocol used to deliver virtually all files and other data (collectively
referred as „resources‟) on the World Wide Web, including HTML files, image files, query
results, or using any other format.
A browser, known as an HTTP client, sends requests to an HTTP server (Web server),
which then sends responses back to the client. HTTP usually takes place over TCP

Web Applications Security Overview and Radware AppWall Solution

|

White Paper

|

Page 4

connections, usually using port 80, though this can be overridden so that another port is
used.
After a successful connection, the client transmits a request message to the server, which
sends a reply message back. The simplest HTTP message is "GET <URL>", to which the
server replies by sending the named document. If the document does not exist, the server
will send an HTML-encoded message stating that.
HTTP is used to transmit resources, not just files. A resource is a chunk of information
that can be identified by a Uniform Resource Locator (URL - resources are the R in URL).
The most common type of resource is a file, but a resource may also be a dynamicallygenerated query result, the output of a CGI script, the output of a PHP or any other
dynamic Web scripting language, Java servlets, a document that is available in several
languages, or something else.
2.2.2.

HTTP Methods

HTTP defines eight methods (sometimes referred to as "verbs"), indicating the desired
action to be performed on the identified resource, as follows:


HEAD: Asks for the response identical to the one that would correspond to a GET
request, but without the response body. This is useful for retrieving metainformation written in response headers, without having to transport the entire
content.



GET: Requests a representation of the specified resource. This method is by far
the most common method used on the Web today. „GET‟ should not be used for
operations that cause side-effects (using it for actions in Web Applications is a
common misuse).



POST: Submits data to be processed (for example, from an HTML form) to the
identified resource. The data is included in the body of the request. This may
result in the creation of a new resource or the updates of existing resources or
both.



PUT: Uploads a representation of the specified resource.



DELETE: Deletes a specified resource.



TRACE: Echoes back the received request, so that a client can see which
intermediate servers are adding or changing in the request.



OPTIONS: Returns the HTTP methods that the server supports for specified
Universal Resource Identifier (URI). This can be used to check the functionality of
a Web server by requesting '*' instead of a specific resource.



CONNECT: Converts the request connection to a transparent TCP/IP tunnel,
usually to facilitate SSL-encrypted communication (HTTPS) through an
unencrypted HTTP proxy.

Web Applications Security Overview and Radware AppWall Solution

|

White Paper

|

Page 5

2.3. Security Issues, Hackers and Threats
This section describes the various security issues, hackers and threats that are regularly
monitored by industry communities such as OWASP and WASC, who produce widely
agreed upon best-practice security standards for the World Wide Web.
2.3.1.

OWASP Top Ten Vulnerabilities Classification

The following provides a description of the OWASP Top Ten:
“The OWASP Top Ten provides a minimum standard for Web Application security. The
OWASP Top Ten represents a broad consensus about what the most critical Web
Application security flaws are. Project members include a variety of security experts from
around the world who have shared their expertise to produce this list. OWASP urge all
companies to adopt the standard within their organization and start the process of
ensuring that their Web Applications do not contain these flaws. Adopting the OWASP Top
Ten is perhaps the most effective first step towards changing the software development
culture within your organization into one that produces secure code.”
There may be many reasons why your Web Application may be vulnerable to one or more
of the OWASP Top Ten Security flaws. For example:


The Web Application in use by your enterprise may have been created using
different types of technologies and software platforms.



The development personnel in your enterprise might not have had security in mind
while developing the Web Application or may have left backdoors to the
application for maintenance. Furthermore, it is common that the development
personnel have changed jobs or have failed to document the application
structure.

Important note: Your application is not susceptible to attack if it is not vulnerable.
Maintaining the application constantly and keeping up-to-date with vulnerability
information and fixing potential risks in the application must be considered a priority and
not an unpleasant task.
The following table summarizes the Top Ten vulnerabilities in Web Application security as
classified by OWASP:

Web Applications Security Overview and Radware AppWall Solution

|

White Paper

|

Page 6

Vulnerability Class

Summary Description

A1 - Cross Site Scripting (XSS)

The Web Application can be used as a
mechanism to transport an attack to an end
user's browser. A successful attack can disclose
the end user‟s session token, attack the local
machine, or spoof content to fool the user.

A2 Injection Flaws

Web Applications pass parameters when they
access external systems or the local operating
system. If an attacker can embed malicious
commands in these parameters, the external
system may execute those commands on
behalf of the Web Application.

A3 Malicious File Execution

Code vulnerable to remote file inclusion (RFI)
allows attackers to include hostile code and
data, resulting in devastating attacks, such as
total server compromise. Malicious file
execution attacks affect PHP, XML and any
framework which accepts filenames or files
from users.

A4 Insecure Direct Object Reference

A direct object reference occurs when a
developer exposes a reference to an internal
implementation object, such as a file, directory,
database record, or key, as a URL or form
parameter. Attackers can manipulate those
references to access other objects without
authorization.

A5 Cross Site Request Forgery (CSRF)

A CSRF attack forces a logged-on user‟s
browser to send a pre-authenticated request to
a vulnerable Web Application, which then forces
the user‟s browser to perform a hostile action to
the benefit of the attacker. CSRF can be as
powerful as the Web Application that it attacks.

A6

Information
Leakage
Improper Error Handling

and

Applications
can
unintentionally
leak
information about their configuration, internal
workings, or violate privacy through a variety of
application problems. Attackers use this
weakness to steal sensitive data, or conduct
more serious attacks.

A7

Broken Authentication
Session Management

and

Account credentials and session tokens are
often not properly protected. Attackers
compromise passwords, keys, or authentication
tokens to assume other users' identities.

Web Applications Security Overview and Radware AppWall Solution

|

White Paper

|

Page 7

Vulnerability Class

Summary Description

A8 Insecure Cryptographic Storage

Web Applications frequently use cryptographic
functions to protect information and
credentials. These functions and the code to
integrate them have proven difficult to code
properly, frequently resulting in weak
protection.

A9 Insecure Communications

Applications frequently fail to encrypt network
traffic when it is necessary to protect sensitive
communications.

A10 Failure to Restrict URL Access

Applications frequently only protect sensitive
functionality by preventing the display of links
or URLs to unauthorized users. Attackers can
use this weakness to access and perform
unauthorized operations by accessing those
URLs directly.

2.3.2.

WASC Web Security Attack Classification

The Web Security Threat Classification is a cooperative effort to clarify and organize the
threats for the security of a Web site. The members of the Web Application Security
Consortium (WASC) have created this project to develop and promote industry standard
terminology for describing these issues. Application developers, security professionals,
software vendors, and compliance auditors will have the ability to access a consistent
language for web security related issues.
The WASC Threat Classification is broken-down to the following main classes:
1) Authentication – Authentication threats includes attacks against validation methods
used by Web Applications to validate users, services or applications. The threats that
target the authentication process of Web Applications include the following:




Brute Force Attacks
Insufficient Authentication
Weak Password Recovery Validation

2) Authorization – Authorization threats includes attacks against the methods used by
the Web Application to determine whether the user, service or application has the
required permissions to perform actions. Potential hackers may attempt to
manipulate the Web Application to gain privileges to restricted areas and to perform
illegal actions. These threats include the following:





Credential/Session Prediction
Insufficient Authorization
Insufficient Session Expiration
Session Fixation

Web Applications Security Overview and Radware AppWall Solution

|

White Paper

|

Page 8

3) Client-Side Attacks – Client-side attacks covers a wide range of Web Application
manipulation and abuse. A potential hacker may attempt to utilize the technology
employed when a user connects to a Web Application to attack the user. These
threats include:



Content spoofing
Cross-site scripting

4) Command Execution – These threats involve attacks designed to execute remote
commands on the Web Application. These attacks are generally aimed at user
supplied information, which are used to create commands that result in dynamic web
content. With the process left insecure, an attacker could manipulate the command
execution. These threats include:








Buffer Overflow
Format String Attack
LDAP Injection
OS Commanding
SQL Injection
SSI Injection
XPath Injection

5) Information Disclosure - Information Disclosure threats cover attacks designed to
obtain Web Application specific system information. This information usually includes
software distribution, version numbers, patch level, etc. The information may also
include names and location of temp files, backup files and others. This information
may be gathered and used by a potential hacker in order to locate and exploit a
backdoor or unprotected access point to the Web Application. These threats include:





Directory Indexing
Information Leakage
Path Traversal
Predictable Resource Location

6) Logical Attacks – Logical Attack threats focus on the possible exploitation of Web
Application logic flow, by a potential hacker. Application logic is a term that describes
the procedure used by the application to perform a specific action. For example,
account registration, recovering passwords, online purchases, etc. A hacker may
bypass a specific process required by the application; hence find a way to damage
users or the application. These threats include:




2.3.3.

Abuse of Functionality
Denial of Service
Insufficient Anti-Automation
Insufficient Process Validation
Unclassified Application-Layer Attack Types

The following table highlights attack forms that are not classified by any particular
organization, yet they exist. These attack forms may appear as part of any of the above
classifications, or may be a result of a different class completely.

Web Applications Security Overview and Radware AppWall Solution

|

White Paper

|

Page 9

Forms of Attack

Brief Description

Parameters Tampering

Manipulating elements in the URL sent to a Web site in
order to gain illegal access or unauthorized information.
By manipulating the parameters in the request, a
potential hacker can then navigate and modify its
contents.

Cookie Poisoning

Changes the content of cookies from what was originally
set by the application and can forge a cookie with stolen
information.

Database Sabotage

Injects various SQL commands to input fields or
messages that affect the regular operation of the
database.

Web Services Manipulation

Exploiting vulnerabilities inherent in Web Services
formats, structure, and operations as well as dictionary,
and encoding manipulations.

Stealth Commanding

Smuggles command-statements in text fields that will be
executed within a given layer of the infrastructure.

Debug Options

Exploits vulnerabilities left open in internally developed
code by using debug constructs.

Backdoor

Uses the privileged/un-referenced access that
applications may provide. These are points of access to
the Web Application that were not intended to be
discovered by un-trusted users. Some backdoors were
intended only to be used during the application
development stage but were never removed when the
application was deployed.

Manipulation of IT
Infrastructure Vulnerabilities

Exploits vulnerabilities in an integrated Internet
environment, such as known patterns and common files
and folders.

3rd-Party Misconfiguration

Exploits configuration errors in third-party components,
such as Web and database servers.

Buffer Overflow Attacks

Sends large request messages to the application,
attacking either third party or internally developed code.

Data Encoding

Sends requests using different data encoding standards
such as Unicode, UTF-8, and UTF-16. Targets variations in
data encoding to pass and execute commands within
specific layers of the operating environment.

Protocol Piggyback

Modifies the application protocol structure to include
nested commands. Targets variations in protocols to pass
and execute commands within specific layers of the
operating environment.

Cross-Site Scripting (XSS)

Attacks the end user‟s browser to reveal the end user‟s
session token, attack the local machine or spoof content.

Web Applications Security Overview and Radware AppWall Solution

|

White Paper

|

Page 10

3. Complete Threat Protection with AppWall
This section describes the protection techniques AppWall provides (Security Filters)
against the threats/attacks described in the previous sections.
Filter Name

Filter Description

Parameters
Security Filter

This filter evaluates parameters sent in
requests against a configured list of
allowed (or not allowed) parameters
configured for pre-defined rules or range.

Global
Parameters
Security Filter

This filter evaluates request parameter
values by applying specified patterns,
including regular expressions, to qualifying
parameters.

XML Security
Filter

This filter parses and evaluates the XML
body structure of requests as well as
values encapsulated within the XML tags.
Parameter names are created using the
full hierarchy of nested tags containing
each value. The created parameters are
evaluated by subsequent parameterrelated Security Filters as defined on the
Application Path level.

Web Services
Security Filter

Session Security
Filter

Threats Protected Against












Parameters Tampering
Unvalidated Input
Buffer Overflow
Data Encoding
Parameters Tampering
Unvalidated Input
Buffer Overflow
Data Encoding
Unvalidated Input
Buffer Overflow
Parameters Tampering

This filter evaluates Web Service requests
and generates an event when the request
violates valid WSDL operations. Valid
operations can be determined by import
and examination of the WSDL file.






This filter prevents remote users from
modifying the application parameter
values stored in HTML forms, and to
prevent remote users from manipulating
Session state information and submitting
it to the Web Application. The Session
Security Filter also protects Cookies, Path,
Query, and Form parameters.




Unvalidated Input
Buffer Overflow
Parameters Tampering
Web Services
Manipulation
Broken Access Control
Broken Authentication and
Session Management
Insecure Storage
Authorization
Cookie Poisoning

Allow List
Security Filter

This filter evaluates requests based on a
configured list of valid page and method
requests. Based on the evaluation it
generates an event for any request not
conforming to a configured list of valid
requests or stops the request.

 Broken Access Control
 Insecure Configuration
Management
 Logical Attacks
 3rd Party Misconfiguration

Path Blocking
Security Filter

This filter evaluates requests to access
files and folders on the application based
on a configured list of relative or specific
URLs and generate an event when the

 Broken Access Control
 Insecure Configuration
Management
 Logical Attacks

Web Applications Security Overview and Radware AppWall Solution





|

White Paper

|

Page 11

request does not match the specified
URLs.
Brute Force
Security Filter

This filter prevents remote users from
attempting to guess the username and
password of an authorized user.

 Authentication and
Session Management
Authentication

Database
Security Filter

This filter evaluates request parameters
for harmful SQL command syntax,
command shell attacks, and cross-site
scripting. It generates an event when the
request does not match those specified in
a configured parameters list or stops the
request completely.

Vulnerabilities
Security Filter

This filter checks requests for known
vulnerability patterns based on a
deterministic set of rules and generates
an event when a vulnerability pattern is
detected. The user can also create custom
patterns to generate events.


















Safe Reply
Security Filter

This filter evaluates outbound replies for
the presence of sensitive information such
as credit cards and Social Security
numbers.

Files Upload
Security Filter *

This filter evaluates uploads and
generates an event when the request
does not conform to the configured
specification for upload locations, file
extensions, and file retrievals.

HTTP Methods
Security Filter *

This filter evaluates HTTP request
methods and generates an event when
the request methods do not conform to
the configured list of allowable methods.

Logging Security
Filter *

This filter provides logging capabilities for
both incoming and outgoing HTTP traffic
and specifies log contents, location, size,
and other properties.

Cross Site Scripting (XSS)
Injection Flaws
Client-Sid e Attacks
Command Execution
Database Sabotage
Stealth Commanding
Backdoor
Cross Site Scripting (XSS)
Injection Flaws
Client-Side Attacks
Command Execution
Logical Attacks
Stealth Commanding
Debug Options
Backdoor
Manipulation of IT
Infrastructure
Vulnerabilities
 Improper Error Handling,
 Information Disclosure
Although not protecting
against specific threats
previously mentioned in this
chapter, add an extra
dimension to the Enterprise
security

For further information on working with AppWall Security Filters, please refer to the
Security Filters section of the AppWall Management Application online help.

Web Applications Security Overview and Radware AppWall Solution

|

White Paper

|

Page 12

Additional information is available on AppWall‟s page on Radware Web site at
www.radware.com.

© 2008 Radware, Ltd. All Rights Reserved. Radware and all other Radware product and service names are registered trademarks
of Radware in the U.S. and other countries. All other trademarks and names are the property of their respective owners. Print ed
in the U.S.A.

Web Applications Security Overview and Radware AppWall Solution

|

White Paper

|

Page 13

Sponsor Documents

Or use your account on DocShare.tips

Hide

Forgot your password?

Or register your new account on DocShare.tips

Hide

Lost your password? Please enter your email address. You will receive a link to create a new password.

Back to log-in

Close