configuring webapp secure to protect against credential attacks · 2014-09-22 · application note...

APPLICATION NOTE

Copyright © 2014, Juniper Networks, Inc. 1

CONFIGURING WEBAPP SECURE TO PROTECT AGAINST CREDENTIAL ATTACKSProtect your Web Applications from Brute Force Credential Attacks Using WebApp Secure and Intrusion Deception Technology

2 Copyright © 2014, Juniper Networks, Inc.

APPLICATION NOTE - Configuring DDoS Secure to Decrypt SSL Traffic

Table of ContentsIntroduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3

Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3

Design Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3

Description and Deployment Scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3

Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3

Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3

Analyzing a “Failed” Login . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Analyzing a “Successful” Login . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Deployment and Configuration Scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10

About Juniper Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11


APPLICATION NOTE - Configuring WebApp Secure to Protect Against Credential Attacks

IntroductionGiven the common reuse of login credentials across Web applications, your company’s Web applications face imminent risk

of attack whenever usernames, e-mail addresses, and passwords are lost in a data breach. Attackers will use a large set of

stolen credentials, distribute them to a botnet, and then use the botnet to launch automated attacks that attempt to find a

small set of “valid credentials” for another Web application.

Juniper Networks® WebApp Secure can add a layer of protection for your Web applications with innovative Intrusion

Deception™ technology. By default, WebApp Secure will provide protection from credential attacks by breaking the

automated attacks with a captcha and causing them to error out. But in these cases, the attacker will just try again.

WebApp Secure detects the brute force credential attack, whether the attack originates from a distributed botnet or

whether the attack is cycling through a list of usernames (trying each username only once, which is harder for most Web

applications to detect). This application note takes the protection one step further, by showing how WebApp Secure allows

the automation to continue, but deceives attackers, causing their attacks to be unsuccessful (all the stolen credentials will

be invalid). In these cases, attacks are completely unsuccessful and the attacker will not try again.

Scope This document describes only one of the Intrusion Deception technologies used by WebApp Secure. The features covered

include the WebApp Secure security processor called “Login Processor,” a preconfigured WebApp Secure counterresponse

called “Break Authentication,” and a manually created “Auto Response.” The “Login Processor” needs to be configured so

that WebApp Secure understands successful and failed login attempts, based on the customer’s Web application. The

manually created “Auto Response” needs to be modified based on the customer environment and the frequency of attacks.

This document does not cover the ways that WebApp Secure can be deployed within each customer’s specific network.

Design ConsiderationsIn order for the WebApp Secure Login Processor to be configured correctly, the security administrator must understand the

customer’s Web applications and login process, and must be able to analyze each Web application’s HTTP response codes

and headers. The response codes and headers will be used as part of the WebApp Secure configuration, which requires the

settings for properties that make up a “failed login” and a “successful login.”

Hardware Requirements: All WebApp Secure form factors, including hardware and virtual machines

Software Requirements: Juniper Networks WebApp Secure version 5.0 or later

Description and Deployment ScenarioDescriptionBefore configuring WebApp Secure to detect invalid login attempts and credential attacks, the security administrator must

first use an HTTP debugger to analyze and compare the properties of a successful and failed login. For example, successful

logins usually return a specific HTTP status code or HTTP header, while failed logins return a different code or header. The

three high-level steps are:

1. Edit the “Login Processor” and create a “Protected Login Page.”

2. Under “Response Rules,” create a new “Autoresponse.”

3. Test the new Autoresponse.

PrerequisitesBefore configuration of WebApp Secure, analysis must be performed that clearly details how the Web application responds

to a failed login and a successful login. The example in Figure 1 shows one way to perform this analysis, using information

that is displayed by an HTTP debugger called Live HTTP Headers, which is an add-on available for Firefox. Other HTTP

debuggers that can be used include Charles Proxy, Fiddler, and Firebug. To view the debugging information, you need

to enable the tool, then use the browser to unsuccessfully log into the Web application (on the left of Figure 1), then

successfully log into the Web application (on the right of Figure 1).

https://addons.mozilla.org/en-us/firefox/addon/live-http-headers/

http://www.charlesproxy.com

http://fiddler2.com

https://getfirebug.com



Analyzing a “Failed” Login Analyzing a “Successful” Login

Unsuccessful login:

1. Login url: wp-login.php

2. Type of login: POST

3. Parameter for the “username”: log=

4. Parameter for the “password”: pwd=

5. Response code: 200 OK

Successful login:

1. Login url: not shown, but same as before

2. Type of login: POST

3. Parameter for the “username”: log=

4. Parameter for the “password”: pwd=

5. Response code: 302 Moved Temporarily

Figure 1. Analyzing failed and successful logins

The information highlighted above is needed to configure WebApp Secure, and these steps are described in

detail below.

Note: Your information may be different, depending on your Web application

Deployment and Configuration ScenarioLog into the WebApp Secure graphical interface and perform the following:

1. Edit the “Login Processor” and create a “Protected Login Page.”

- Under the Configuration Panel, click on “Processors”



- Scroll down and find “Login Processor,” then click on “Edit Settings”

- Scroll down and find “PROTECTED LOGIN PAGES” and click “Add”

- Configure the login page as described below:

› Name: Enter a name for the login page, e.g., “WP-login”

› URL Pattern: Type “wp-login.php” (this could be different for your Web application)



- Configure information about the username and password fields. Set the following:

› Username Field Type: Select “POST Parameter”

› Username Field Name Pattern: Type “log”

› Username Field Value Pattern: Type “.*”

› Username Field Encoding: Select “Ascii”

› Password Field Type: Select “POST Parameter”

› Password Field Name Pattern: Type “pwd”

› Password Field Value Pattern: Type “.*”

› Password Field Encoding: Select “Ascii”



- Configure information describing a failed login and a successful login by setting the values below:

› Failure Pattern Target: Select “Status”

› Failure Pattern: Type “200”

› Failure Pattern Condition: Select “Failure On Match”

› Success Pattern Target: Select “Status”

› Success Pattern: Type “302”

› Success Pattern Condition: Select “Success On Match”

› Require Captcha After: Leave at “3”

› Click Save



2. Under “Response Rules,” create a new autoresponse.

- Under the Configuration Panel, click on “Response Rules”

- In the “Autoresponse” screen, click on “Add Autoresponse”

- In the Basic tab, do the following:

› In the name field, type “Break Authentication”

› In the description field, type: “Triggers when a brute force credential attack is detected. The autoresponse will

deceive the attacker into thinking all their stolen credentials are invalid, even if there is a valid set.”

› Check the “Enabled” checkbox

› Uncheck the “Safe mode” checkbox

› Click Save



- In the Code tab, do the following:

› Paste the following code:

if ( profile.getIncidentTypes(“isCode(‘23008’) && isCount(‘>=’,’1’)”).length > 0 && profile.getSessions(“isRequestCount(‘>’,’50’)”).length > 0 && profile.getResponses(“isCode(‘BA’) && isActive()”).length == 0) // Make sure we did not trigger Break Authentication. { mykonos.activateResponseCfg(“BA”, “<config message=’Stop the Credential Attack!’ />”); console.log(‘data’);} › Note: If you want to be less aggressive, change the comparison checks listed below:

• isCount(‘>=’,’1’) checks for the number of “Site Login Username scan” incidents.

• isRequestCount(‘>’,’50’) checks for the number of login requests for that session.

› Then click Save



- In the Events tab, do the following:

› Enable the “Run analyzer on profile when it observes a new incident (newincident)” checkbox

› Enable the “Run analyzer on profile when it observes any new traffic (newtraffic)” checkbox

› Then click Save

3. Test the new Autoresponse by using an attack tool like w3af, or manually enter invalid credentials through a

browser.

Summary The steps described in this application note can be used to configure WebApp Secure to protect your Web applications

from brute force credential attacks. After configuration of the Login Processor, WebApp Secure will cause automated

credential attacks to fail with errors by responding with a captcha by default. By taking an additional step to configure the

“Break Authentication Autoresponse,” WebApp Secure will apply Intrusion Deception that allows the automated attack to

continue and finish, but the attack will not be successful since all of the attacker’s credentials will be marked “invalid.”



3500217-001-EN Jan 2014

Copyright 2014 Juniper Networks, Inc. All rights reserved. Juniper Networks, the Juniper Networks logo, Junos, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other countries. All other trademarks, service marks, registered marks, or registered service marks are the property of their respective owners. Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.

APAC and EMEA Headquarters

Juniper Networks International B.V.

Boeing Avenue 240

1119 PZ Schiphol-Rijk

Amsterdam, The Netherlands

Phone: 31.0.207.125.700

Fax: 31.0.207.125.701

Corporate and Sales Headquarters

Juniper Networks, Inc.

1194 North Mathilda Avenue

Sunnyvale, CA 94089 USA

Phone: 888.JUNIPER (888.586.4737)

or 408.745.2000

Fax: 408.745.2100

www.juniper.net

To purchase Juniper Networks solutions,

please contact your Juniper Networks

representative at 1-866-298-6428 or

authorized reseller.

Printed on recycled paper

About Juniper NetworksJuniper Networks is in the business of network innovation. From devices to data centers, from consumers to cloud

providers, Juniper Networks delivers the software, silicon and systems that transform the experience and economics of

networking. The company serves customers and partners worldwide. Additional information can be found at

www.juniper.net.

http://www.juniper.net

configuring webapp secure to protect against credential attacks · 2014-09-22 · application note...

Documents