Learning Center
Plans & pricing Sign in
Sign Out

The Problem and the Solution


									Securing Web Applications and Data Flow
              Presented by:
               Steve Pettit
           Systems Engineering
              Sanctum Inc.

• The Web Application Layer Threats

• Why the Problems Exists
    – Landscape
    – Anatomy of a Web Application Server

• The failed solutions
    – Manual patching and code review not fast enough
    – Traditional Solutions Fail (FW / IDS / ACLs / OS Hardening…)

• Application Firewalling as a solution
Recent News

              Code Red:Alive
              again and Kicking
                  — Zdnet Aug 1, 2001
97% of Sites Are Vulnerable

  Full Control & Access to Information              25% Privacy Breach
                                                             4% Minor Breach
                                                                       Modify Information

7% Hijack

                                                                             Privacy Breach

                                                 Delete Web Site

                  The results of over 300 AppAudits conducted with AppScan
The Business Problem -
Web Application Hacking

    Type A                           Type B
    Stealing Company Assets          Falsifying B2B or B2C
                                     Buy/Sell Transactions

    Type C                           Type D
    Obtaining Customer Information   Defacing a site
Type A

                Type A
                Stealing Company Assets

         Hackers can access corporate assets,
             from strategic documents and
            personnel records to intellectual
         property, patents and business secrets
Type B

                Type B
                Falsifying B2B or B2C
                Buy/Sell Transactions

          Hackers can alter the price of your
         goods and services, effectively buying
            products for next to nothing, or
                changing your content.
Type C

                 Type C
                Obtaining Customer Information

          Hackers can access your customers’
         most sensitive information, from credit
           card numbers and financial data to
         medical records and private messages.
Type D

               Type D
               Defacing a site

         Hackers can turn your applications
         against you to deface, debilitate or
            totally shut down your site.
    Ten Categories of Application Hacks

•   Hidden Field Manipulation - eShoplifting
•   Parameter Tampering - access OS or sensitive data; fraud

•   Backdoors and Debug Options – access code/application as developer or admin
•   Cookie Poisoning - identity theft, illegal transactions

•   Stealth Commanding - access OS or control application at OS level, site defacement
•   Forceful Browsing - access sensitive data

•   Cross-Site Scripting - server-side exploitation, access sensitive data; eHijacking

•   Buffer Overflow - access sensitive data, or crash site/application
•   3rd-Party Misconfiguration - access OS or data

•   Published/Known Vulnerabilities- access OS; crash site; access sensitive data
  Hidden Field Manipulation

• Vulnerability explanation:
    The application sends data to the clients using a hidden field in a form.
      Modifying the hidden form field damages the data returning to the web

• Why Hidden Field Manipulation:
    Passing hidden fields is a simple and efficient way to pass information from
      one part of the application to another (or between two applications)
      without the use of complex backend systems.

• As a result of this manipulation :
    The application acts according to the changed information and not
      according to the original data
Hidden Field Manipulation - Example
Hidden Field Manipulation - Example
Hidden Field Manipulation - Example
Hidden Field Manipulation - Example
  Cookie Poisoning

• Vulnerability explanation:
    The session information contained within the cookie is changed to a
      different value causing the application to shift to the new session ID.

• Why Cookie Poisoning:
    Some session IDs are not-secure e.g. not encrypted or weakly encrypted
      or hashed. This is due to lack of cryptographic expertise of the

• As a result of this manipulation :
    Hackers can assume the user’s identity and have access to that user’s
      information – identity theft/impersonation
Cookie Poisoning - Example
Cookie Poisoning - Example
Cookie Poisoning - Example
Cookie Poisoning - Example
  Backdoor & Debug options

• Vulnerability explanation:
    The application has hidden debug options that can be activated by
       sending a specific parameter or sequence

• Why Backdoor and Debug options:
    1. Leaving debug options in the code enables developers to find and fix
       bugs faster
    2. Developers leave backdoors as a way of guaranteeing their access to
       the system

• As a result of this manipulation :
    Activation of the hidden debug option allows the hacker to have extreme
       access to the application (usually unlimited).
Backdoor & Debug options - Example
Backdoor & Debug options - Example
Backdoor & Debug options - Example
  Application Buffer Overflow

• Vulnerability explanation:
    Exploiting a flaw in a form to overload the server with excess information -
      sending more characters will cause it to misbehave

• Why Application Buffer Overflow:
    The application does not check the number of characters

• As a result of this manipulation :
    The application crashes and in many cases causes the whole site to shut
      down (DoS). In other cases, the application executes the code received
      as the input
Application Buffer Overflow- Example
Application Buffer Overflow- Example
Application Buffer Overflow- Example
Application Buffer Overflow- Example
Application Buffer Overflow- Example
  Stealth Commanding

• Vulnerability explanation:
    Concealing dangerous commands via a Trojan horse with the intent to run
      malicious or unauthorized code that is damaging to the site.

• Why Stealth Commanding:
   Applications tend to use the content received from a field to evaluate a new
   command. However, they assume that the content is only data and not
   executable code.

• As a result of this manipulation :
    The hacker can perform any command on the web-server, including
      complete shut down, defacement, or access to all information
Stealth Commanding - Example
Stealth Commanding - Example
  Known Vulnerabilities

• Vulnerability explanation:
    Some technology used in sites have inherent weaknesses that a persistent
      hacker, or a hacker with automated scanning tools, can exploit easily.
      Users are dependent on patches from the developer. After discovered
      in one site they can be used in all the sites using the same component

• Why Known Vulnerabilities:
    Third party vendors have bugs (Microsoft IIS etc). Since their products
      appear in many sites they are examined thoroughly by a large number
      of hackers

• As a result of this manipulation:
    Once a bug is found, large parts of the internet are scanned and exploited.
      The actual result varies according to the vulnerability type but ability to
      gain the administrators’ passwords and take control of the site is not
Known Vulnerabilities - Example

  3rd Party Misconfigurations

• Vulnerability explanation:
    A misconfiquration, or human error during install of 3rd party software can
      cause default passwords or settings unchanged – open invitation for

• Why 3rd party misconfiqurations:
    Occurs during the installation and maintenance of the 3rd party

• As a result of this manipulation :
    Through a confiquration error a hacker could create a new database that
      rendors the existing one unusable by the site
3rd Party Misconfiguration - Example

  Cross Site Scripting

• Vulnerability explanation:
    A third party creates a link (or sends an email) that as part of the URL
       contains a parameter with a script – once the user connects, the site
       runs this script

• Why Cross Site Scripting:
    Many parameters are implanted within the HTML of following responses,
      while not checking their content for scripts.

• As a result of this manipulation:
    “Virtual hijacking” of the session. Any information flowing between the
       legitimate user and site can be manipulated or transmitted to the evil
       3rd party.
Cross Site Scripting - Example

                        Press this link to get to your bank
Underlying link:<evil javascript>
The JavaScript program collects and sends user names and passwords


                                Enter your login information
  Parameter Tampering

• Vulnerability explanation:
    Parameters are used to obtain information from the client. This
      information can be changed in a site’s URL parameter

• Why Parameter Tampering:
    Developers focus on the legal values of parameters and how they should
      be utilized. Little if any attention is given to the incorrect values

• As a result of this manipulation :
    The application can perform a function that was not intended by its
      developer like giving access to customer information
Parameter Tampering - Example
Parameter Tampering - Example
  Forceful Browsing

• Vulnerability explanation:
    By “guessing” the names of files and directories the hacker can view them
       without going through the business logic leading to those objects.

• Why forceful browsing:
    1. Default files are left during the installation process
    2. New files that should not be exposed and old files which should be
       removed are left (outside the normal flow) by mistake

• As a result of this manipulation :
    Content (log files, administration facilities, application source code) is
      revealed due to file and directory access
Forceful Browsing - Example
Forceful Browsing - Example
Forceful Browsing - Example
         The Four Levels of Web Security

           1                2                  3                    4

               Desktop          Transport          Network

Security       Antivirus        Encryption         Firewall             Manual Patching
Threat         Disruption       Interception       Illegal Access       Perversion
    Desktop Level

•   AntiVirus Software
    – Symantec
    – Network Associates
    – Trend Micro
•   Personal Firewalls                1
    – Symantec
    – Network Ice
    – ZoneAlarm                           Desktop

                           Security       Antivirus
                           Threat         Disruption
    Transport Level

• Encryption
     – Virtual Private Network (VPN)
        • Entrust, Cisco, CheckPoint
     – Secure Socket Layer (SSL)
        • Netscape
•   Authentication                                2
     – PKI
        • Entrust, Verisign                           Transport

                                       Security       Encryption
                                       Threat         Interception
    Network Level

•   Firewalls
    – CheckPoint, Cisco, WatchGuard
• Intrusion Detection
    – ISS, Cisco, CA
•   Vulnerability Scanners                       3
    – NAI, ISS.


                                      Security       Firewall
                                      Threat         Illegal Access
    Web Application Level

    The Inner Sanctum:
•   Content
     – Static, Dynamic (application services)
•   Data
     – Customer, Corporate, …                              4
•   In-house developed code
•   3rd party components                                      Web
     – Web server, App server, DB server, OS, …

       75% of the hacks occur at the
      application level (Gartner Group)         Security       Manual Patching
                                                Threat         Web Perversion
  Why the Problem Exists and How to Fix It

• Why
   –   Anatomy of a Web Application
   –   Web Application Message Flow
   –   Organization Issues with Managing a Web Application
   –   Technical Threats for Web Application Components

• How to Fix it
   – Need for Application Firewall
   – Criteria of an Application Firewall
   – Application Firewall as a Solution
  Anatomy of a Web application

• Web Server - Server Software (iPlanet, Apache, IIS)

• User Interface Code - Site look and Feel (HTML, JavaScript, ActiveX)

• Front End System - Scripting Languages (ColdFusion, CGIs)

• Back End System – Business Driver (MainFrame, Peoplesoft, SAP, ERP)

• Database - Oracle, DB2

• Data - Target of the site
Web Application Message Flow

   Data                                      •   The business logic that
   Database                                       –   User’s interaction with the Web site
                                                  –   Transacting/interfacing with back-end
                                                      data systems (databases, CRM, ERP
   Backend Application                                etc)
                                             •   In the form of:
   Frontend Application                           –   3rd party packaged software; i.e. web
                                                      server, shopping cart software,
                                                      personalization engines etc.
   User Interface Code
                                                  –   Code developed in-house / web
                                                      builder / system integrator
   Web Server

                          User Input


                Input and Output flow through each layer of the
              A break in any layer breaks the whole application.
    Web Application Organizational Issues

•   Many organizations are involved with creating and supporting a Web
    applications at the different layers, with much overlap
             –   Marketing
             –   Application Managers
             –   Application Developers
             –   Database Administrators
             –   Database Developers
             –   Operations Support
             –   Network Administrators
             –   System Administrators
             –   Vendor

•   Who is the real owner?

•   Who is responsible for support?

•   Who is responsible to maintain code?

•   Who owns the data?
Web Application Organizational Issues
                           User       Web      Frontend      Backend
                         Interface   Server   Application   Application   DataBase   DATA











             Developing and Supporting a Web Application requires
                   close interdepartmental communication.
  Threats at the Application Layers

• Each layer of the application has its own unique vulnerabilities

• A vulnerability fixed at one layer may still be exploitable at
   another layer

• An exploit at any layer of the application effects the integrity for
   the entire application
    – Application DoS
    – Compromised Security
Application Layer Threats

                                 User       Web      Frontend      Backend
                               Interface   Server   Application   Application   DataBase










Web Application Message Flow
Valid and Invalid Input

                                                      Invalid Data can
   Data                                              exploit weakness in
                                                       the application
                                                       acting as escape
                                                      holes resulting in
   Backend Application
                                                           access to
   Frontend Application
                                                        accounts, O/S
   User Interface Code                               Network, sensitive
                                                     data and may even
   Web Server                                            result in an
                                                     Application Denial
                         Valid Input Invalid Input        of Service
                         HTML/HTTP HTML/HTTP


                  Without any protection,
holes and backdoors exist at every layer waiting to be exploited
Targeting Flaws in Web Applications


           Common Security         Web Server
     Invalid HTTP/HTML       Application Impurity
     Web Request             (Based on 10 types of Hacks)
                             Internal / External Illegal Target
     Valid HTTP/HTML
     Web Request             Legal Application Data Target
How Safe is Application after Removing
Known Bugs


           Common Security         Web Server
     Invalid HTTP/HTML       Application Impurity
     Web Request             (Based on 10 types of Hacks)
                             Internal / External Illegal Target
     Valid HTTP/HTML
     Web Request             Legal Application Data Target
Most Browser Attacks Flow Through Standard Security,
Only a Few are Blocked

                                               Web Server
      Intrusion Detection
                                              Application Exploit
                                              Unblocked HTTP/HTML Attack
                                              Blocked HTTP/HTML Attack
                        Access Control
                                Hardened OS
  Why Common Security Tools Fail at
  Stopping Application Level Attacks

• They are good at addressing issues around the application
   – Application Access
   – Login and Authentication
   – Encryption

• But simply are NOT designed to address application layer
   – Do not Operate at the Application Layer
      • Application Messaging (Parameter passing)
   – Do not Understand Content Logic of the Application
      • Is it a good or bad request?
    Common Solution Approaches


•   Hardened Servers
•   Host Based Intrusion Detection
•   Access Control
•   Content Integrity
•   Total Application Shielding
Solution Approaches
Basic site architecture
    Hardened Servers
    OS and service level hardening of the Web servers
•   Argus – PitBull
•   HP – Virtual Vault

               Does not operate at the Application Layer
    Host Based Intrusion Detection
    Attack pattern identification, and OS-level enforcement
•   entercept

                Does not understand the Application Logic
    Rule-based authentication and

•   Netegrity – SiteMinder
•   IBM – Tivoli Policy Director
•   Internet Dynamics – Conclave
•   Ubizen – MultiSecure Suite

            Does not understand the Application Logic
    Content Integrity

•   Gilian – G-Server
•   WatchGuard – ServerLock (Quiave)

             Does not address Application Logic Threats
Total Application Shielding
Sanctum – AppShield

            Preventing misuse of the application
             and all its underlying components
  How to Shield an Application?

• Install an Application Firewall
    – A tool that stops Web level attacks from reaching the Web server
      thereby protecting the Web server, it’s application layers and all the
      resources it uses.
    Requirements for an Application Firewall

•   Functions at the application level - ISO model layer 7
     –   Understands inbound and outbound requests
     –   Block invalid requests without terminating entire user session

•   Designed to recognize & protect against application threats
     –   Signature & Non-signature attacks

•   Dynamic and Accurate
     –   Understands application logic (Web perversion)

•   Architects with the Application
     –   Compatible with Web Application technologies

•   Works in Real Time
     –   Addresses threats before they reach the server

•   Provide Application Level Forensics
     –   Logging & Altering

•   Single Point of Administration
     –   One solution to protect all application components
  Some Variations on a Specific Application
  Layer Attack

• URL Forceful Browsing attempts on “samples/admin”
       •   Direct Request            “samples/admin”
       •   Delimiter Padding         “samples///admin”
       •   Absolute Pathing          “samples/./admin“
       •   URL Encoding              "%2fsamples/admin“
       •   Relative Pathing          “samples/fakedir/../admin“
       •   DOS Syntax                “samples\admin”
       •   Null Method               "GET%00/samples/admin“
       •   others …

     Security tools need to operate at Layer 7 to see the attacks
    need to understand the application logic to block the attacks
 Comparison based on Application Needs
 & Application Firewall Criteria
                                         Intrusion     Access                                           Application
                        Authentication   Detection     Control   Firewall   Encryption   Hardened OS    Firewalling











                                                     Protected                             Partial Protection
Application Firewall Blocks Browser
Attacks Missed by Other Tools

                                               Web Server
      Intrusion Detection                   Application Firewall
                     Encryption                  Application Exploit
                         Access Control          Unblocked HTTP/HTML Attack
                              Hardened OS        Blocked HTTP/HTML Attack
Application Firewall Prevents Impurities
from Being Exploited



           Common Security                       Web Server
             Approaches      Application FW

      Invalid HTTP/HTML              Application Impurity
      Web Request                    (Based on 10 types of Hacks)
                                     Internal / External Illegal Target
      Valid HTTP/HTML
      Web Request                    Legal Application Data Target
Block Threats on Input Stream Protects
Web Applications from Exploitation

      Data                                                       Sensitive Data
                                                                 and Resources
      Database                                                     remain safe
                                                                     even if
     Backend Application
                                                                  exploits exist
     Frontend Application                                             in the
     User Interface Code

     Web Server

                                                  Block Invalid Input at the Entry Point.
                      Valid Input Invalid Input   This protects the Web Application.
                      HTML/HTTP HTML/HTTP


  If threats can’t reach the holes and backdoors at each layer
                    then they can’t be exploited
    Post Script
    Web Worms & Application Firewalling

•   Web Worms are autonomous code that propagating themselves by
    seeking out Web servers and infecting them

•   Web Worms rely on specific exploits to enter a site
     – Ten Types of Web Hacks

•   Companies have spent Billions recovering from Web Worm damage

•   Some well known Web Worms
     –   SadMind – Solaris and IIS - (5/01)
     –   Code Red – IIS - (7/01)
     –   Code Red II – IIS - (8/01)
     –   Nimda – IIS - (9/01)
     –   Nimda A-E – (10/01)
     –   More are coming …
Code Red Stopped in its tracks from
Infecting Web Server
Nimda Stopped in its tracks from Infecting
Web Server
  Stop the Worms before they Stop You

• Web Worms automate the attacks that hackers use

• Web Worms spread at an astronomical rate

• Recovering from Web Worm damage cost time and money

• Stopping the infection stops the spreading

• Application Firewalling provides automatic default protection
   from Web Worms

• Anyone with a browser can launch application level attacks

• The complexity of a Web Application is what creates
   weaknesses in application security

• Common Security Tools Cannot Address Application Level

• Web Worms rely on Application vulnerabilities to enter a site

• Application Firewalling is the only solution to block Browser and
   Automated (worms) attacks against a Web Application
      Steve Pettit
     817- 416-1539
     Sanctum Inc.
2901 Tasman Dr. Ste 205
 Santa Clara, CA 95054

To top