web applications security overview and appwall solution
TRANSCRIPT
8/18/2019 Web Applications Security Overview and AppWall Solution
http://slidepdf.com/reader/full/web-applications-security-overview-and-appwall-solution 1/13
Web Applications SecurityOverview and RadwareAppWall Solution
White Paper
November 2008
8/18/2019 Web Applications Security Overview and AppWall Solution
http://slidepdf.com/reader/full/web-applications-security-overview-and-appwall-solution 2/13
Web Applications Security Overview and Radware AppWall Solution | White Paper | Page 2
Table of Contents
1.
Preface ................................................................................................................. 3
1.1. General ......................................................................................................................... 3
1.2.
Target Audience ........................ ......................... ......................... ......................... ......... 3
2.
Introduction to Web Applications Security ............................................................... 4
2.1.
Web Applications Security Overview................... ......................... ......................... ......... 4
2.2.
HTTP: The Internet Protocol ....................... ........................ .......................... ................. 4
2.2.1. Background on HTTP ..............................................................................................................4
2.2.2. HTTP Methods ........................................................................................................................5
2.3. Security Issues, Hackers and Threats.......................... ......................... ......................... 6
2.3.1. OWASP Top Ten Vulnerabilities Classification .......................................................................6
2.3.2. WASC Web Security Attack Classification ..............................................................................8
2.3.3. Unclassified Application-Layer Attack Types ...........................................................................9
3.
Complete Threat Protection with AppWall ............................................................. 11
8/18/2019 Web Applications Security Overview and AppWall Solution
http://slidepdf.com/reader/full/web-applications-security-overview-and-appwall-solution 3/13
Web Applications Security Overview and Radware AppWall Solution | White Paper | Page 3
1. Preface
1.1. General
Enabling organizational processes and applications for the Internet is a critical
requirement in today‟s business landscape. As a result, strong network level protection
against attacks, such as firewalls and intrusion detection systems, is mandatory in all
enterprise Web Application environments, as such threats impose real risk and high costs.
However, hacking techniques are now designed to legitimately access a Web Application
and attack back-end systems using transactions that appear to be normal. These well
publicized Web “application level” attack techniques cannot be detected by network
firewalls and intrusion detection systems. Web Application attacks pass through
unchecked, enabling access to sensitive information and systems. In addition, since this
entire activity looks like perfectly legitimate Internet traffic, the network security team is
completely unaware of these attacks unless someone happens to notice their effects.This paper provides an overview of Web Application Security and discusses the following
topics:
Introduction to Web Application Security - describes Web Application security,
including an overview of HTTP and its related security issues, hackers and threats
currently at play in the Web Application industry and more
Complete Threat Protection with Radware AppWall - discusses the various
protection techniques provided by AppWall
1.2. Target Audience
This paper is intended for IT professionals who are responsible for the implementation of
a Web Application‟s security policy in their organization. This guide takes the reader
through basic initial steps in order to start working with AppWall to leveraging more
advanced AppWall configurations, depending on the reader‟s requirements.
It is assumed that readers of this guide are familiar with many of the concepts and terms
used throughout the Web Application Security industry.
8/18/2019 Web Applications Security Overview and AppWall Solution
http://slidepdf.com/reader/full/web-applications-security-overview-and-appwall-solution 4/13
Web Applications Security Overview and Radware AppWall Solution | White Paper | Page 4
2. Introduction to Web Applications Security
2.1. Web Applications Security Overview
We at Radware refer to Web Application Security as making use of software and hardware
to protect Web Applications from internal and external threats.
As the tools and technology approaches used to create Web Applications rapidly change,
developers tend to spend more time in implementing these tools and technologies, and
less time implementing security in the application. An application that has been
developed with security in mind minimizes holes and backdoors to the application. These
holes and backdoors leave the application vulnerable to potential hackers.
Security is becoming an increasingly important concern during development asapplications become more frequently accessible over networks and are, as a result,
vulnerable to a wide variety of application-layer threats.
Hacking or attacking Web Applications is a security domain which has no limits as to the
number of methods and techniques that can be used to gain illegal access, manipulate
information, or cause damage to an enterprise. As these methods and techniques
develop, it is our aim to develop means and techniques through advanced technology to
prevent harm to an application.
The following sections provide in-depth information about HTTP, the main protocol used to
deliver files and data across the Internet, as well as information on the known threats,
vulnerabilities and attack types as they are classified today by Security authorities such as
the FBI, SANS (SysAdmin, Audit, Network, Security) Institute, WASC (Web Application
Security Consortium) and OWASP (Open Web Application Security Project).
2.2. HTTP: The Internet Protocol
Hypertext Transfer Protocol (HTTP) is perhaps the most significant protocol used on the
Internet today. Web services, network-enabled appliances and the growth of network
computing continue to expand the role of the HTTP protocol beyond user-driven Web
browsers, while increasing the number of applications that require HTTP support.
2.2.1. Backg rou nd on HTTP
HTTP is the network protocol used to deliver virtually all files and other data (collectively
referred as „resources‟) on the World Wide Web, including HTML files, image files, query
results, or using any other format.
A browser, known as an HTTP client, sends requests to an HTTP server (Web server),
which then sends responses back to the client. HTTP usually takes place over TCP
8/18/2019 Web Applications Security Overview and AppWall Solution
http://slidepdf.com/reader/full/web-applications-security-overview-and-appwall-solution 5/13
Web Applications Security Overview and Radware AppWall Solution | White Paper | Page 5
connections, usually using port 80, though this can be overridden so that another port is
used.
After a successful connection, the client transmits a request message to the server, which
sends a reply message back. The simplest HTTP message is "GET <URL>", to which the
server replies by sending the named document. If the document does not exist, the server
will send an HTML-encoded message stating that.
HTTP is used to transmit resources, not just files. A resource is a chunk of information
that can be identified by a Uniform Resource Locator (URL - resources are the R in URL).
The most common type of resource is a file, but a resource may also be a dynamically-
generated query result, the output of a CGI script, the output of a PHP or any other
dynamic Web scripting language, Java servlets, a document that is available in several
languages, or something else.
2.2.2. HTTP Methods
HTTP defines eight methods (sometimes referred to as "verbs"), indicating the desired
action to be performed on the identified resource, as follows:
HEAD: Asks for the response identical to the one that would correspond to a GET
request, but without the response body. This is useful for retrieving meta-
information written in response headers, without having to transport the entire
content.
GET: Requests a representation of the specified resource. This method is by far
the most common method used on the Web today. „GET‟ should not be used for
operations that cause side-effects (using it for actions in Web Applications is a
common misuse).
POST: Submits data to be processed (for example, from an HTML form) to the
identified resource. The data is included in the body of the request. This may
result in the creation of a new resource or the updates of existing resources or
both.
PUT: Uploads a representation of the specified resource.
DELETE: Deletes a specified resource.
TRACE: Echoes back the received request, so that a client can see which
intermediate servers are adding or changing in the request.
OPTIONS: Returns the HTTP methods that the server supports for specified
Universal Resource Identifier (URI). This can be used to check the functionality of
a Web server by requesting '*' instead of a specific resource.
CONNECT: Converts the request connection to a transparent TCP/IP tunnel,
usually to facilitate SSL-encrypted communication (HTTPS) through an
unencrypted HTTP proxy.
8/18/2019 Web Applications Security Overview and AppWall Solution
http://slidepdf.com/reader/full/web-applications-security-overview-and-appwall-solution 6/13
Web Applications Security Overview and Radware AppWall Solution | White Paper | Page 6
2.3. Security Issues, Hackers and Threats
This section describes the various security issues, hackers and threats that are regularly
monitored by industry communities such as OWASP and WASC, who produce widely
agreed upon best-practice security standards for the World Wide Web.
2.3.1. OWASP Top Ten Vulnerabil i t ies Classif ication
The following provides a description of the OWASP Top Ten:
“The OWASP Top Ten provides a minimum standard for Web Application security. The
OWASP Top Ten represents a broad consensus about what the most critical Web
Application security flaws are. Project members include a variety of security experts from
around the world who have shared their expertise to produce this list. OWASP urge all
companies to adopt the standard within their organization and start the process of
ensuring that their Web Applications do not contain these flaws. Adopting the OWASP TopTen is perhaps the most effective first step towards changing the software development
culture within your organiz ation into one that produces secure code.”
There may be many reasons why your Web Application may be vulnerable to one or more
of the OWASP Top Ten Security flaws. For example:
The Web Application in use by your enterprise may have been created using
different types of technologies and software platforms.
The development personnel in your enterprise might not have had security in mind
while developing the Web Application or may have left backdoors to the
application for maintenance. Furthermore, it is common that the development
personnel have changed jobs or have failed to document the application
structure.
Important note: Your application is not susceptible to attack if it is not vulnerable.
Maintaining the application constantly and keeping up-to-date with vulnerability
information and fixing potential risks in the application must be considered a priority and
not an unpleasant task.
The following table summarizes the Top Ten vulnerabilities in Web Application security as
classified by OWASP:
8/18/2019 Web Applications Security Overview and AppWall Solution
http://slidepdf.com/reader/full/web-applications-security-overview-and-appwall-solution 7/13
Web Applications Security Overview and Radware AppWall Solution | White Paper | Page 7
Vulnerability Class Summary Description
A1 - Cross Site Scripting XSS) The Web Application can be used as a
mechanism to transport an attack to an enduser's browser. A successful attack can disclose
the end user‟s session token, attack the local
machine, or spoof content to fool the user.
A2 Injection Flaws Web Applications pass parameters when they
access external systems or the local operating
system. If an attacker can embed malicious
commands in these parameters, the external
system may execute those commands on
behalf of the Web Application.
A3 Malicious File Execution Code vulnerable to remote file inclusion (RFI)
allows attackers to include hostile code and
data, resulting in devastating attacks, such astotal server compromise. Malicious file
execution attacks affect PHP, XML and any
framework which accepts filenames or files
from users.
A4 Insecure Direct Object Reference A direct object reference occurs when a
developer exposes a reference to an internal
implementation object, such as a file, directory,
database record, or key, as a URL or form
parameter. Attackers can manipulate those
references to access other objects without
authorization.
A5 Cross Site Request Forgery CSRF) A CSRF attack forces a logged-on user‟s
browser to send a pre-authenticated request to
a vulnerable Web Application, which then forces
the user‟s browser to perform a hostile action to
the benefit of the attacker. CSRF can be as
powerful as the Web Application that it attacks.
A6 Information Leakage and
Improper Error Handling
Applications can unintentionally leak
information about their configuration, internal
workings, or violate privacy through a variety of
application problems. Attackers use this
weakness to steal sensitive data, or conduct
more serious attacks.A7 Broken Authentication and
Session Management
Account credentials and session tokens are
often not properly protected. Attackers
compromise passwords, keys, or authentication
tokens to assume other users' identities.
8/18/2019 Web Applications Security Overview and AppWall Solution
http://slidepdf.com/reader/full/web-applications-security-overview-and-appwall-solution 8/13
Web Applications Security Overview and Radware AppWall Solution | White Paper | Page 8
Vulnerability Class Summary Description
A8 Insecure Cryptographic Storage Web Applications frequently use cryptographic
functions to protect information and
credentials. These functions and the code to
integrate them have proven difficult to code
properly, frequently resulting in weakprotection.
A9 Insecure Communications Applications frequently fail to encrypt network
traffic when it is necessary to protect sensitive
communications.
A10 Failure to Restrict URL Access Applications frequently only protect sensitive
functionality by preventing the display of links
or URLs to unauthorized users. Attackers can
use this weakness to access and perform
unauthorized operations by accessing those
URLs directly.
2.3.2. WASC Web Security Attack Classif ication
The Web Security Threat Classification is a cooperative effort to clarify and organize the
threats for the security of a Web site. The members of the Web Application Security
Consortium (WASC) have created this project to develop and promote industry standard
terminology for describing these issues. Application developers, security professionals,
software vendors, and compliance auditors will have the ability to access a consistent
language for web security related issues.
The WASC Threat Classification is broken-down to the following main classes:
1)
Authentication – Authentication threats includes attacks against validation methods
used by Web Applications to validate users, services or applications. The threats that
target the authentication process of Web Applications include the following:
Brute Force Attacks
Insufficient Authentication
Weak Password Recovery Validation
2)
Authorization Authorization threats includes attacks against the methods used by
the Web Application to determine whether the user, service or application has the
required permissions to perform actions. Potential hackers may attempt to
manipulate the Web Application to gain privileges to restricted areas and to performillegal actions. These threats include the following:
Credential/Session Prediction
Insufficient Authorization
Insufficient Session Expiration
Session Fixation
8/18/2019 Web Applications Security Overview and AppWall Solution
http://slidepdf.com/reader/full/web-applications-security-overview-and-appwall-solution 9/13
Web Applications Security Overview and Radware AppWall Solution | White Paper | Page 9
3) Client-Side Attacks Client-side attacks covers a wide range of Web Application
manipulation and abuse. A potential hacker may attempt to utilize the technology
employed when a user connects to a Web Application to attack the user. These
threats include:
Content spoofing
Cross-site scripting
4)
Command Execution These threats involve attacks designed to execute remote
commands on the Web Application. These attacks are generally aimed at user
supplied information, which are used to create commands that result in dynamic web
content. With the process left insecure, an attacker could manipulate the command
execution. These threats include:
Buffer Overflow
Format String Attack
LDAP Injection
OS Commanding
SQL Injection SSI Injection
XPath Injection
5) Information Disclosure - Information Disclosure threats cover attacks designed to
obtain Web Application specific system information. This information usually includes
software distribution, version numbers, patch level, etc. The information may also
include names and location of temp files, backup files and others. This information
may be gathered and used by a potential hacker in order to locate and exploit a
backdoor or unprotected access point to the Web Application. These threats include:
Directory Indexing
Information Leakage
Path Traversal Predictable Resource Location
6)
Logical Attacks Logical Attack threats focus on the possible exploitation of Web
Application logic flow, by a potential hacker. Application logic is a term that describes
the procedure used by the application to perform a specific action. For example,
account registration, recovering passwords, online purchases, etc. A hacker may
bypass a specific process required by the application; hence find a way to damage
users or the application. These threats include:
Abuse of Functionality
Denial of Service
Insufficient Anti-Automation Insufficient Process Validation
2.3.3. Unclass if ied App lication -Layer Attack Types
The following table highlights attack forms that are not classified by any particular
organization, yet they exist. These attack forms may appear as part of any of the above
classifications, or may be a result of a different class completely.
8/18/2019 Web Applications Security Overview and AppWall Solution
http://slidepdf.com/reader/full/web-applications-security-overview-and-appwall-solution 10/13
Web Applications Security Overview and Radware AppWall Solution | White Paper | Page 10
Forms of Attack Brief Description
Parameters Tampering Manipulating elements in the URL sent to a Web site in
order to gain illegal access or unauthorized information.
By manipulating the parameters in the request, a
potential hacker can then navigate and modify its
contents.
Cookie Poisoning Changes the content of cookies from what was originally
set by the application and can forge a cookie with stolen
information.
Database Sabotage Injects various SQL commands to input fields or
messages that affect the regular operation of the
database.
Web Services Manipulation Exploiting vulnerabilities inherent in Web Services
formats, structure, and operations as well as dictionary,
and encoding manipulations.
Stealth Commanding Smuggles command-statements in text fields that will beexecuted within a given layer of the infrastructure.
Debug Options Exploits vulnerabilities left open in internally developed
code by using debug constructs.
Backdoor Uses the privileged/un-referenced access that
applications may provide. These are points of access to
the Web Application that were not intended to be
discovered by un-trusted users. Some backdoors were
intended only to be used during the application
development stage but were never removed when the
application was deployed.
Manipulation of IT
Infrastructure Vulnerabilities
Exploits vulnerabilities in an integrated Internet
environment, such as known patterns and common files
and folders.
3rd-Party Misconfiguration Exploits configuration errors in third-party components,
such as Web and database servers.
Buffer Overflow Attacks Sends large request messages to the application,
attacking either third party or internally developed code.
Data Encoding Sends requests using different data encoding standards
such as Unicode, UTF-8, and UTF-16. Targets variations in
data encoding to pass and execute commands within
specific layers of the operating environment.
Protocol Piggyback Modifies the application protocol structure to includenested commands. Targets variations in protocols to pass
and execute commands within specific layers of the
operating environment.
Cross-Site Scripting XSS) Attacks the end user‟s browser to reveal the end user‟s
session token, attack the local machine or spoof content.
8/18/2019 Web Applications Security Overview and AppWall Solution
http://slidepdf.com/reader/full/web-applications-security-overview-and-appwall-solution 11/13
Web Applications Security Overview and Radware AppWall Solution | White Paper | Page 11
3. Complete Threat Protection with AppWall
This section describes the protection techniques AppWall provides (Security Filters)
against the threats/attacks described in the previous sections.
Filter Name Filter Description Threats Protected Against
Parameters
Security Filter
This filter evaluates parameters sent in
requests against a configured list of
allowed (or not allowed) parameters
configured for pre-defined rules or range.
Parameters Tampering
Unvalidated Input
Buffer Overflow
Data Encoding
Global
Parameters
Security Filter
This filter evaluates request parameter
values by applying specified patterns,
including regular expressions, to qualifying
parameters.
Parameters Tampering
Unvalidated Input
Buffer Overflow
Data Encoding
XML Security
Filter
This filter parses and evaluates the XMLbody structure of requests as well as
values encapsulated within the XML tags.
Parameter names are created using the
full hierarchy of nested tags containing
each value. The created parameters are
evaluated by subsequent parameter-
related Security Filters as defined on the
Application Path level.
Unvalidated Input Buffer Overflow
Parameters Tampering
Web Services
Security Filter
This filter evaluates Web Service requests
and generates an event when the request
violates valid WSDL operations. Valid
operations can be determined by importand examination of the WSDL file.
Unvalidated Input
Buffer Overflow
Parameters Tampering
Web ServicesManipulation
Session Security
Filter
This filter prevents remote users from
modifying the application parameter
values stored in HTML forms, and to
prevent remote users from manipulating
Session state information and submitting
it to the Web Application. The Session
Security Filter also protects Cookies, Path,
Query, and Form parameters.
Broken Access Control
Broken Authentication and
Session Management
Insecure Storage
Authorization
Cookie Poisoning
Allow List
Security Filter
This filter evaluates requests based on a
configured list of valid page and method
requests. Based on the evaluation it
generates an event for any request not
conforming to a configured list of valid
requests or stops the request.
Broken Access Control
Insecure Configuration
Management
Logical Attacks
3rd Party Misconfiguration
Path Blocking
Security Filter
This filter evaluates requests to access
files and folders on the application based
on a configured list of relative or specific
URLs and generate an event when the
Broken Access Control
Insecure Configuration
Management
Logical Attacks
8/18/2019 Web Applications Security Overview and AppWall Solution
http://slidepdf.com/reader/full/web-applications-security-overview-and-appwall-solution 12/13
Web Applications Security Overview and Radware AppWall Solution | White Paper | Page 12
request does not match the specified
URLs.
Brute Force
Security Filter
This filter prevents remote users from
attempting to guess the username and
password of an authorized user.
Authentication and
Session Management
Authentication
Database
Security Filter
This filter evaluates request parameters
for harmful SQL command syntax,
command shell attacks, and cross-site
scripting. It generates an event when the
request does not match those specified in
a configured parameters list or stops the
request completely.
Cross Site Scripting (XSS)
Injection Flaws
Client-Sid e Attacks
Command Execution
Database Sabotage
Stealth Commanding
Backdoor
Vulnerabilities
Security Filter
This filter checks requests for known
vulnerability patterns based on a
deterministic set of rules and generates
an event when a vulnerability pattern is
detected. The user can also create custompatterns to generate events.
Cross Site Scripting (XSS)
Injection Flaws
Client-Side Attacks
Command Execution
Logical Attacks
Stealth Commanding
Debug Options
Backdoor
Manipulation of IT
Infrastructure
Vulnerabilities
Safe Reply
Security Filter
This filter evaluates outbound replies for
the presence of sensitive information such
as credit cards and Social Security
numbers.
Improper Error Handling,
Information Disclosure
Files Upload
Security Filter *
This filter evaluates uploads andgenerates an event when the request
does not conform to the configured
specification for upload locations, file
extensions, and file retrievals.
Although not protectingagainst specific threats
previously mentioned in this
chapter, add an extra
dimension to the Enterprise
securityHTTP Methods
Security Filter *
This filter evaluates HTTP request
methods and generates an event when
the request methods do not conform to
the configured list of allowable methods.
Logging Security
Filter *
This filter provides logging capabilities for
both incoming and outgoing HTTP traffic
and specifies log contents, location, size,
and other properties.
For further information on working with AppWall Security Filters, please refer to the
Security Filters section of the AppWall Management Application online help.
8/18/2019 Web Applications Security Overview and AppWall Solution
http://slidepdf.com/reader/full/web-applications-security-overview-and-appwall-solution 13/13
Web Applications Security Overview and Radware AppWall Solution | White Paper | Page 13
Additional information is available on AppWall‟s page on Radware Web site at
www.radware.com.
© 2008 Radware, Ltd. All Rights Reserved. Radware and all other Radware product and service names are registered trademarks
of Radware in the U.S. and other countries. All other trademarks and names are the property of their respective owners. Print ed
in the U.S.A.