Presentation
Download
Report
Transcript Presentation
Closing the Door on Web Application Attacks
FISSEA 2004
Confidential and proprietary information ©2004, MagniFire Websystems Inc.
Today’s Session
What are the risks?
Why don’t traditional solutions work?
What can be done?
Confidential and proprietary information ©2004, MagniFire Websystems Inc.
22
Ensuring 100% protection
In Israel the government has an effective way to
protect sensitive data from internet hackers…
Confidential and proprietary information ©2004, MagniFire Websystems Inc.
33
However, Government Is Moving Online
Unique Audience (2002)
(Source: Nielson NetRatings)
U.S. National Archives & Records Administration
U.S. National Archives & Records Administration
U.S. Central Intelligence Agency
FirstGov
U.S. Dept. of Energy
U.S. Dept. of Energy
U.S. Dept. of Labor
U.S. Dept. of State
U.S. Executive Branch
U.S. Dept. of Education
U.S. National Aeronautics & Space Administration
U.S. Dept. of the Treasury
0
2,000
Confidential and proprietary information ©2004, MagniFire Websystems Inc.
4,000
6,000
8,000
10,000
12,000
14,000
44
Web Servers and Web Applications:
Prime Targets for Attacks
“64% of the 10 million security incidents Security
Focus tracked the first week of Feb 2002, targeted
port 80.”
(Information Week magazine)
“Nearly 70% of all attacks in the first quarter of 2002
used port 80, a common port devoted to Web
traffic.”
(ISS Internet Risk Impact Summary Report for 2002)
Confidential and proprietary information ©2004, MagniFire Websystems Inc.
55
What are the Risks?
Access to user databases
Social Security Numbers (CA)
Police Records (MI)
Financial loss as a result of fraud
Theft of secure or sensitive information
Confidential and proprietary information ©2004, MagniFire Websystems Inc.
66
“64% of the 10 million
security incidents tracked
targeted port 80.”
(Information Week magazine)
Application
Web Applications Are The Weakest Point
Confidential and proprietary information ©2004, MagniFire Websystems Inc.
DATA
77
Major Categories of Web Application
Vulnerabilities
Improper validation of user input by the Web application
server side (relying on client side validation):
Cookie Poisoning
Hidden Field Manipulation
Parameter Tampering
Stealth Commanding (e.g. SQL/OS Injection)
Cross-site Scripting
Application Buffer Overflow
URL & Unicode encoding
Almost all Web
applications are
exposed
“From 45 applications,
@stake found nearly
500 ‘significant’ security
defects, with an
average of at least 10
per assessment”
(@Stake Study on Web
application security)
Backdoors and Debugs option (left in the application)
Poor Session Management, Access Control &
Authentication
Third Party Misconfiguration
Confidential and proprietary information ©2004, MagniFire Websystems Inc.
88
Hidden Field Manipulation
–
Modifying form fields allowing damaging data to pass to the
web application
–
Example: Online Retail Store
Changing prices and stealing goods
Hidden field hacking in 3rd party shopping cart software
Confidential and proprietary information ©2004, MagniFire Websystems Inc.
99
Hidden Field Manipulation - Example
Confidential and proprietary information ©2004, MagniFire Websystems Inc.
1010
Hidden Field Manipulation - Example
Confidential and proprietary information ©2004, MagniFire Websystems Inc.
1111
Hidden Field Manipulation - Example
Confidential and proprietary information ©2004, MagniFire Websystems Inc.
1212
Hidden Field Manipulation - Example
Confidential and proprietary information ©2004, MagniFire Websystems Inc.
1313
Hidden Field Manipulation - Example
Confidential and proprietary information ©2004, MagniFire Websystems Inc.
1414
Cookie Poisoning
Modifying the cookie file causing the return of unauthorized
information or enabling performance of activity on behalf of
another user
–
Example: Online account administration
– Impersonation
–
Confidential and proprietary information ©2004, MagniFire Websystems Inc.
1515
Cookie Poisoning - Example
Confidential and proprietary information ©2004, MagniFire Websystems Inc.
1616
Cookie Poisoning - Example
Confidential and proprietary information ©2004, MagniFire Websystems Inc.
1717
Cookie Poisoning - Example
Confidential and proprietary information ©2004, MagniFire Websystems Inc.
1818
Cookie Poisoning - Example
Confidential and proprietary information ©2004, MagniFire Websystems Inc.
1919
Cookie Poisoning - Example
Confidential and proprietary information ©2004, MagniFire Websystems Inc.
2020
Buffer Overflow
Sending too much data in a request to the application,
attacking either 3rd party or internally developed code
–
Confidential and proprietary information ©2004, MagniFire Websystems Inc.
2121
Buffer Overflow - Example
Confidential and proprietary information ©2004, MagniFire Websystems Inc.
2222
Buffer Overflow - Example
Confidential and proprietary information ©2004, MagniFire Websystems Inc.
2323
Buffer Overflow - Example
Confidential and proprietary information ©2004, MagniFire Websystems Inc.
2424
Cross Site Scripting
–
Inserting scripting languages into text fields to be displayed
to other users
–
Example: Add an Item Section of Web Site
Site defacement
Changing field parameters
Confidential and proprietary information ©2004, MagniFire Websystems Inc.
2525
Cross Site Scripting - Example
Confidential and proprietary information ©2004, MagniFire Websystems Inc.
2626
Cross Site Scripting - Example
Confidential and proprietary information ©2004, MagniFire Websystems Inc.
2727
Cross Site Scripting - Example
Confidential and proprietary information ©2004, MagniFire Websystems Inc.
2828
Cross Site Scripting - Example
Confidential and proprietary information ©2004, MagniFire Websystems Inc.
2929
Cross Site Scripting - Example
Confidential and proprietary information ©2004, MagniFire Websystems Inc.
3030
Known Vulnerabilities & Misconfiguration
–
Exploiting configuration errors in 3rd party components,
such as web and database servers
–
Newdsn.exe can be used by an attacker to create files
anywhere on your disk if they have the NTFS correct file
permissions to do so. Newdsn.exe can also be used to overwrite
the DSNs on existing on-line databases making the information
contained in the database inaccessible. This file, getdrvrs.exe,
dsnform.exe and mkilog.exe should be deleted.
Confidential and proprietary information ©2004, MagniFire Websystems Inc.
3131
Known Vulnerabilities & Misconfiguration
Confidential and proprietary information ©2004, MagniFire Websystems Inc.
3232
Known Vulnerabilities & Misconfiguration
Confidential and proprietary information ©2004, MagniFire Websystems Inc.
3333
Parameter Tampering
–
Modify the parameters being passed as part of the URL
–
Example: Online Auction Site
User Account Access
Forbidden SQL Query via wrong parameters
Confidential and proprietary information ©2004, MagniFire Websystems Inc.
3434
Parameter Tampering - Example
Confidential and proprietary information ©2004, MagniFire Websystems Inc.
3535
Parameter Tampering - Example
Confidential and proprietary information ©2004, MagniFire Websystems Inc.
3636
Forceful Browsing
–
Jumping directly to pages that can normally only be
accessed through authentication mechanisms
–
Example: Auction Web Site
Breaching users’ privacy
Direct file access
Confidential and proprietary information ©2004, MagniFire Websystems Inc.
3737
Forceful Browsing - Example
Confidential and proprietary information ©2004, MagniFire Websystems Inc.
3838
Forceful Browsing - Example
Confidential and proprietary information ©2004, MagniFire Websystems Inc.
3939
Forceful Browsing - Example
Confidential and proprietary information ©2004, MagniFire Websystems Inc.
4040
Reasons for Web Application Vulnerabilities
Applications were written according to client-server security
standards (rely on client-side validation)
The complexity of platforms and environments makes secure
coding very difficult
Web developers focus on functionality and performance, not on
security
Web developers are not trained for secure programming
Bugs in Web infrastructure (OS and Web platforms) and Web
applications
Web sites are changed/updated frequently
Threat is exacerbated by the availability of:
Web application client-side source code (hackers gain information
for planning attacks)
Widely available, free, easy to use hacking tools
Confidential and proprietary information ©2004, MagniFire Websystems Inc.
4141
Existing Security Solutions are
Inadequate
Confidential and proprietary information ©2004, MagniFire Websystems Inc.
4242
Traditional Security Solutions Don’t
Protect Web Applications
Current solutions are not enough (CSI & FBI 2002):
89% of respondents have a firewall
60% of respondents used at least one Intrusion Detection System
However:
40% reported system penetration from the outside
40% reported DoS attacks
Firewalls:
Network IDS:
“Firewalls offer little protection at the
application layer because ports within
the firewall have to be left open for
communication”
“Intrusion detection systems are a market
failure, and vendors are now hyping
intrusion prevention systems, which have
also stalled. Functionality is moving into
firewalls, which will perform deep packet
inspection for content and malicious traffic
blocking, as well as antivirus activities."
(IDC 2002)
(Gartner, 2003)
Confidential and proprietary information ©2004, MagniFire Websystems Inc.
4343
Fundamental Problem with IPS/IDS:
‘Negative Security Logic’
How It Works: Let everything through except what can be identified as
malicious traffic (based on attack signatures & traffic characteristics)
Problems
Protects only against known attacks
(signature and/or characteristics are known and defined)
Requires constant updating of attack signatures and / or
characteristics database
Doesn’t protect against “Zero Day” attacks
Doesn’t protect against attacks based on illegal user input:
Cookie Poisoning and Hidden-Field Manipulation
Parameter (Form-Field) Tampering
Forceful Browsing
Backdoors and debug-option exploitation
Confidential and proprietary information ©2004, MagniFire Websystems Inc.
4444
Traditional Security Solutions Don’t
Protect Web Applications
TrafficShield
Known Web Worms
Unknown Web Worms
Known Web Vulnerabilities
Unknown Web Vulnerabilities
Illegal Access to Web-server files
Forceful Browsing
File/Directory Enumerations
Brute Force attacks
Buffer Overflow
Cross-Site Scripting
SQL/OS Injection
Cookie Poisoning
Hidden-Field Manipulation
Parameter Tampering
Flood attacks (GET, 404)
SSL Flooding
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Confidential and proprietary information ©2004, MagniFire Websystems Inc.
FW
NIPS
HIPS
Limited
No
Limited
No
Limited
No
No
No
Limited
Limited
No
No
No
No
Limited
No
Yes
Limited
Partial
Limited
No
No
Limited
No
Limited
Limited
No
No
No
No
Limited
Limited
Yes
Partial
Yes
Partial
Yes
No
No
No
Partial
No
Partial
No
Yes
No
No
No
4545
Current Application-Layer Approaches
Scan-and-Fix
Scanning HTML code for known breaches and then rewriting it is ineffective and
costly compared to installing an application firewall.
Time-Consuming due to high rate of false positives that must be evaluated.
Ineffective since it does not find all vulnerabilities, thereby requiring additional
techniques (e.g. manual code review) in order to ensure protection.
Requires Code Rewrites which are very expensive in terms of both time and
resources
Slows Down Product Development since every change in the application requires
new “scan & fix” iteration
Useless for 3rd party web applications since they can’t be altered
Defenseless against new threats, since it only looks for known vulnerabilities
Confidential and proprietary information ©2004, MagniFire Websystems Inc.
4646
The Solution:
Granular & Tailored
Application-Specific Security
Confidential and proprietary information ©2004, MagniFire Websystems Inc.
4747
Solution Criteria
Web Application Firewall Using Positive Security Logic
1
Model application extremely accurately
2
Auto configuration / customization around app
3
No false positives or false negatives
4
Minimal ongoing policy management
5
No latency introduced (<1 ms)
Confidential and proprietary information ©2004, MagniFire Websystems Inc.
4848
Model the Application Flow
Web
Application
Flow Model
Actions not known
to be legal can
now be blocked.
CHANGE
USER ID
- wrong page order
- invalid parameter
- invalid value
- etc.
Confidential and proprietary information ©2004, MagniFire Websystems Inc.
4949
The Application Flow Model
Application
Flow Model
Legal user will request:
Links existing in the Web page currently browsed
OR
An accurate
representation of
the designed
interaction between
the user and the
Web application
Web pages which are entry points to the app
Thus, a legal request to a Web page should
always have two characteristics:
It should come from a link embedded in the
original page browsed by the user*
It should comply with the request definition in the
Web page the user is currently browsing,
defining:
Request method
Request parameters
Request parameters values
* Unless the page requested is the entry point to the Web application.
Confidential and proprietary information ©2004, MagniFire Websystems Inc.
5050
The Application Flow Model
Application
Flow Model
Stateful - Tracks which pages a user is coming
from, and the specific permissions associated with
that context.
The only way to
provide total
security in front of
Web applications
(the only way to
replace embedded
security code)
Bidirectional - Looks at server responses to the
client as well as client requests to the server.
A request which is perfectly legal within the context of one
page might be inappropriate for a user on another page
Essential to verify that the user hasn’t attempted to tamper
with the credentials sent to him in his response
Granular – Complete logical rendering of the
transitions between every page, including every
object, every parameter of each object, and every
legal value within each object parameter.
Confidential and proprietary information ©2004, MagniFire Websystems Inc.
5151
Hybrid Policy Generator:
Creating the Application Flow Model
•
Automatic analysis of Web page content.
Purpose-built crawler
Complete analysis of the Web page content, including active code such as
JavaScript,
•
‘Learns’ all details of the interaction between the user and the Web
application.
Iterative policy adjustment.
Examines how users interact with application over time, based on real-life
traffic.
Recommends adjustments to the current policy, based on the on-line
analysis on the rejected traffic.
Confidential and proprietary information ©2004, MagniFire Websystems Inc.
5252
Hybrid Policy Generator
Hybrid policy generation combines crawler-based application modeling
with adjustments based on real-life request analysis
– Request based learning is very useful to detect missing elements in policy
– Response based learning is limited in its analysis to avoid significant latency
Model
User
Flow
Static
Parameters
ActiveCode
Analysis
Dynamic
Parameters
Accurate
Security
Policy
Crawler based
Learning
Yes
Yes
Yes
No
No
Request based
Learning
No
Limited
No
No
No
Response based
Learning
Partial
Yes
No
Yes
No
Hybrid
Yes
Yes
Yes
Yes
Yes
Approach
Confidential and proprietary information ©2004, MagniFire Websystems Inc.
5353
No False Positives, No False Negatives
Constraints that prevent vulnerabilities in certain cases can cause
“False Positives” in other cases
Low granular policy means
Either false positives
OR low security (false negatives) due to relaxed policy
The solution: Granular Security Policy that is accurately adjusted to the
protected Web-application
Constraints are adjusted to Web-application Flow Model (no need to
relax security constraints)
Policy enforcement takes into account user state
No False Positives (constraints are not used when they are not
applicable)
Confidential and proprietary information ©2004, MagniFire Websystems Inc.
5454
Low Latency
Security Policy enforcement is translated into hash searches
Hardened Linux Appliance
Ease deployment
Eliminates misconfiguration
Optimized performance and throughput
Scalable Architecture - Shield units can be added to handle larger
traffic volumes
Automatic recovery from unit failure based on the fact that units
are identical and can switch roles
Central and secure management
Confidential and proprietary information ©2004, MagniFire Websystems Inc.
5555
Solution Criteria
1
Model application
extremely accurately
Solution
•
•
•
2
Auto configuration /
customization around app
•
3
No false positives or false
negatives
•
•
4
Minimal ongoing policy
management
5
No latency introduced
(<1 ms)
Crawling & full analysis of web pages
Adjustments based on real-life traffic
‘Learning Mode’ automatically
recommends policy adjustments based on
customer activity
Any non-recognized activity is blocked
Automated mapping & policy suggestions
Appliance: fits into web infrastructure
•
Automatic detection of website changes
and suggestions for newly-tailored policy
•
Network appliance with modified OS for
high throughput
Confidential and proprietary information ©2004, MagniFire Websystems Inc.
5656
Thank You!
Confidential
Confidential and
and proprietary
proprietary information
information ©2004,
©2003, MagniFire
MagniFire Websystems
Websystems Inc.
Inc.
5757