Closing the Door on Web Application Attacks FISSEA 2004 Confidential and proprietary information...

Closing the Door on Web Application Attacks

FISSEA 2004

Today’s Session

What are the risks?

Why don’t traditional solutions work?

What can be done?

Ensuring 100% protection

In Israel the government has an effective way to protect sensitive data from internet hackers…

However, Government Is Moving Online

0 2,000 4,000 6,000 8,000 10,000 12,000 14,000

U.S. Dept. of the Treasury

U.S. National Aeronautics & Space Administration

U.S. Dept. of Education

U.S. Executive Branch

U.S. Dept. of State

U.S. Dept. of Labor

U.S. Dept. of Energy

FirstGov

U.S. Central Intelligence Agency

U.S. National Archives & Records Administration

Unique Audience (2002) (Source: Nielson NetRatings)

Web Servers and Web Applications:Prime Targets for Attacks

“64% of the 10 million security incidents Security Focus tracked the first week of Feb 2002, targeted port 80.”(Information Week magazine)

“Nearly 70% of all attacks in the first quarter of 2002 used port 80, a common port devoted to Web traffic.”(ISS Internet Risk Impact Summary Report for 2002)

What are the Risks ?

Access to user databases Social Security Numbers (CA) Police Records (MI)

Financial loss as a result of fraud

Theft of secure or sensitive information

Web Applications Are The Weakest Point

System Network

Access

Net IDS

Host IDS & Secure OS

Firewall

Antivir

icatio

“64% of the 10 million security incidents tracked targeted port 80.”

(Information Week magazine)

Major Categories of Web Application Vulnerabilities

Almost all Web applications are

exposed“From 45 applications, @stake found nearly 500 ‘significant’ security defects, with an average of at least 10 per assessment”(@Stake Study on Web application security)

Improper validation of user input by the Web application server side (relying on client side validation):

Cookie Poisoning Hidden Field Manipulation Parameter Tampering Stealth Commanding (e.g. SQL/OS Injection) Cross-site Scripting Application Buffer Overflow URL & Unicode encoding

Backdoors and Debugs option (left in the application)

Poor Session Management, Access Control & Authentication

Third Party Misconfiguration

– Modifying form fields allowing damaging data to pass to the web application

– Example: Online Retail Store Changing prices and stealing goods Hidden field hacking in 3rd party shopping cart software

Hidden Field Manipulation

Hidden Field Manipulation - Example

Cookie Poisoning

–Modifying the cookie file causing the return of unauthorized information or enabling performance of activity on behalf of another user

–Example: Online account administration– Impersonation

Cookie Poisoning - Example

Buffer Overflow

–Sending too much data in a request to the application, attacking either 3rd party or internally developed code

Buffer Overflow - Example

Cross Site Scripting

– Inserting scripting languages into text fields to be displayed to other users

– Example: Add an Item Section of Web SiteSite defacement

Changing field parameters

Cross Site Scripting - Example

Known Vulnerabilities & Misconfiguration

– Exploiting configuration errors in 3rd party components, such as web and database servers

– Newdsn.exe can be used by an attacker to create files anywhere on your disk if they have the NTFS correct file permissions to do so. Newdsn.exe can also be used to overwrite the DSNs on existing on-line databases making the information contained in the database inaccessible. This file, getdrvrs.exe, dsnform.exe and mkilog.exe should be deleted.

Parameter Tampering

– Modify the parameters being passed as part of the URL

– Example: Online Auction SiteUser Account Access

Forbidden SQL Query via wrong parameters

Parameter Tampering - Example

Forceful Browsing

– Jumping directly to pages that can normally only be accessed through authentication mechanisms

– Example: Auction Web SiteBreaching users’ privacy

Direct file access

Forceful Browsing - Example

Reasons for Web Application Vulnerabilities Applications were written according to client-server security

standards (rely on client-side validation)

The complexity of platforms and environments makes secure coding very difficult

Web developers focus on functionality and performance, not on security

Web developers are not trained for secure programming

Bugs in Web infrastructure (OS and Web platforms) and Web applications

Web sites are changed/updated frequently

Threat is exacerbated by the availability of: Web application client-side source code (hackers gain information

for planning attacks) Widely available, free, easy to use hacking tools

Existing Security Solutions are Existing Security Solutions are InadequateInadequate

Traditional Security Solutions Don’t Protect Web Applications

Current solutions are not enough (CSI & FBI 2002):89% of respondents have a firewall60% of respondents used at least one Intrusion Detection SystemHowever: 40% reported system penetration from the outside 40% reported DoS attacks

Firewalls: “Firewalls offer little protection at the application layer because ports within the firewall have to be left open for communication” (IDC 2002)

Network IDS:

“Intrusion detection systems are a market failure, and vendors are now hyping intrusion prevention systems, which have also stalled. Functionality is moving into firewalls, which will perform deep packet inspection for content and malicious traffic blocking, as well

as antivirus activities." (Gartner, 2003)

Fundamental Problem with IPS/IDS: ‘Negative Security Logic’

How It Works: Let everything through except what can be identified as malicious traffic (based on attack signatures & traffic characteristics)

Problems Protects only against known attacks

(signature and/or characteristics are known and defined) Requires constant updating of attack signatures and / or

characteristics database Doesn’t protect against “Zero Day” attacks Doesn’t protect against attacks based on illegal user input:

Cookie Poisoning and Hidden-Field Manipulation Parameter (Form-Field) Tampering Forceful Browsing Backdoors and debug-option exploitation

TrafficShield FW NIPS HIPS

Known Web Worms Yes Limited Yes YesUnknown Web Worms Yes No Limited PartialKnown Web Vulnerabilities Yes Limited Partial YesUnknown Web Vulnerabilities Yes No Limited PartialIllegal Access to Web-server files Yes Limited No YesForceful Browsing Yes No No NoFile/Directory Enumerations Yes No Limited NoBrute Force attacks Yes No No NoBuffer Overflow Yes Limited Limited PartialCross-Site Scripting Yes Limited Limited NoSQL/OS Injection Yes No No PartialCookie Poisoning Yes No No NoHidden-Field Manipulation Yes No No YesParameter Tampering Yes No No NoFlood attacks (GET, 404) Yes Limited Limited NoSSL Flooding Yes No Limited No

Traditional Security Solutions Don’t Protect Web Applications

Current Application-Layer Approaches

Scanning HTML code for known breaches and then rewriting it is ineffective and costly compared to installing an application firewall.

Time-Consuming due to high rate of false positives that must be evaluated.

Ineffective since it does not find all vulnerabilities, thereby requiring additional techniques (e.g. manual code review) in order to ensure protection.

Requires Code Rewrites which are very expensive in terms of both time and resources

Slows Down Product Development since every change in the application requires new “scan & fix” iteration

Useless for 3rd party web applications since they can’t be altered

Defenseless against new threats, since it only looks for known vulnerabilities

Scan-and-Fix

The Solution: The Solution: Granular & Tailored Granular & Tailored

Application-Specific SecurityApplication-Specific Security

Solution Criteria Web Application Firewall Using Positive Security Logic

Model application extremely accurately

Auto configuration / customization around app

No false positives or false negatives

Minimal ongoing policy management

No latency introduced (<1 ms)

Web Application

Model the Application Flow

Application Flow Application Flow Model

CHANGEUSER ID

Actions not known to be legal can now be blocked.

- wrong page order

- invalid parameter

- invalid value

- etc.

The Application Flow Model

Legal user will request: Links existing in the Web page currently browsed

OR Web pages which are entry points to the app

Thus, a legal request to a Web page should always have two characteristics:

It should come from a link embedded in the original page browsed by the user*

It should comply with the request definition in the Web page the user is currently browsing, defining:

Request method Request parameters Request parameters values

Application Flow Model

An accurate representation of

the designed interaction

between the user and the Web application

* Unless the page requested is the entry point to the Web application.

The Application Flow Model

Stateful - Tracks which pages a user is coming from, and the specific permissions associated with that context.

A request which is perfectly legal within the context of one page might be inappropriate for a user on another page

Bidirectional - Looks at server responses to the client as well as client requests to the server.

Essential to verify that the user hasn’t attempted to tamper with the credentials sent to him in his response

Granular – Complete logical rendering of the transitions between every page, including every object, every parameter of each object, and every legal value within each object parameter.

Application Flow Model

The only way to provide total

security in front of Web applications (the only way to

replace embedded security code)

Hybrid Policy Generator:Creating the Application Flow Model

• Automatic analysis of Web page content.

Purpose-built crawler Complete analysis of the Web page content, including active code such as

JavaScript, ‘Learns’ all details of the interaction between the user and the Web

application.

• Iterative policy adjustment.

Examines how users interact with application over time, based on real-life traffic.

Recommends adjustments to the current policy, based on the on-line analysis on the rejected traffic.

Model User Flow

Static Parameters

Active-Code Analysis

Dynamic Parameters

Accurate Security Policy

Crawler based Learning

Yes Yes Yes No No

Request based Learning

No Limited No No No

Response based Learning

Partial Yes No Yes No

Hybrid Approach

Yes Yes Yes Yes Yes

Hybrid policy generation combines crawler-based application modeling with adjustments based on real-life request analysis– Request based learning is very useful to detect missing elements in policy

– Response based learning is limited in its analysis to avoid significant latency

Hybrid Policy Generator

No False Positives, No False Negatives

Constraints that prevent vulnerabilities in certain cases can cause “False Positives” in other cases

Low granular policy means

Either false positives

OR low security (false negatives) due to relaxed policy The solution: Granular Security Policy that is accurately adjusted to the

protected Web-application Constraints are adjusted to Web-application Flow Model (no need to

relax security constraints) Policy enforcement takes into account user state No False Positives (constraints are not used when they are not

applicable)

Low Latency

Security Policy enforcement is translated into hash searches

Hardened Linux Appliance Ease deployment Eliminates misconfiguration Optimized performance and throughput

Scalable Architecture - Shield units can be added to handle larger traffic volumes

Automatic recovery from unit failure based on the fact that units are identical and can switch roles

Central and secure management

Solution Criteria Solution

Model application extremely accurately

Auto configuration / customization around app

No false positives or false negatives

Minimal ongoing policy management

No latency introduced (<1 ms)

• Crawling & full analysis of web pages• Adjustments based on real-life traffic

• ‘Learning Mode’ automatically recommends policy adjustments based on customer activity

• Any non-recognized activity is blocked

• Automated mapping & policy suggestions• Appliance: fits into web infrastructure

• Automatic detection of website changes and suggestions for newly-tailored policy

• Network appliance with modified OS for high throughput

Thank You!

Closing the Door on Web Application Attacks FISSEA 2004 Confidential and proprietary information...

Documents

Circus Incidents - Attacks, Abuse and Property …...Circus Incidents Attacks, Abuse and Property Damage The Humane Society of the United States Revised June 2004 May 31, 2004 San

Moral and Ethical Awareness Education Security Training Issues FISSEA 2004 Dr Christopher V. Feudo Director, Security and Privacy Professional Services

Practical Awareness Program - NIST€¦ · Title: FISSEA 2015 Conference, March 24-25 - Practical Awareness Program Presentation Keywords: FISSEA 2015 Conference, March 24-25 - Practical

Good Morning, FISSEA - CSRC · PDF fileGood Morning, FISSEA . From: allstaff@nist.gov [mailto:allstaff@nist.gov] On Behalf Of Broadcast, DOC Sent: Wednesday, March 13, 2013 11:01 AM

Storytelling as an Interactive Learning Medium...FISSEA Conference 2010 Presentation - Storytelling as an Interactive Learning Medium Author: 521880 Keywords: FISSEA Conference 2010

Preparing Solution Brief: for future attacks · PDF filefor future attacks ... PD ISO/IEC TR 18044:2004 Information technology ... BS ISO/IEC 27031:2011 Information technology –

Terrorism Strikes Russia Attacks from August 24 to September 3, 2004

Cyber-Terrorism & Security New Definitions For New Realities Dan Verton Vice President & Executive Editor FISSEA March 2005

A Collection of Terrorist Attacks, Jan-2004 to Jan-2005 by CPACT

Coyote Attacks on Humans in the United States and Canada · coyote attacks on people has increased in recent years (Baker & Timm, 1998; Timm, Baker, Bennett, & Coolahan, 2004). Although

FISSEA 2014 Conference Presentation - Garbo, D-Day · PDF fileDusko Popov Tricycle Ivan ... FISSEA 2014 Conference Presentation - Garbo, D-Day and Ultimate Social Engineering by John

Attacks Attacks AND Attacks!

Blast injuries from Madrid terrorist bombing attacks on March 11, 2004

Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks

Security Awareness on a Budget - NIST...Library of Congress. jgarr@loc.gov. 202-707-5515. Title: FISSEA Conference 2011 Presentation - Security Awareness on a Budget Keywords: FISSEA

Using the Webinar as a Substitute for In-Class Security Training FISSEA 2004 March 11, 2004 E. Jane Powanda

University of Maryland University College (UMUC) 3/11/2004 POA&M and FISMA What does it really mean? FISSEA Annual Conference

©2009 Carnegie Mellon University : 1 Leveraging Human Factors for Effective Security Training FISSEA 2012 Jason Hong jasonh@cs.cmu.edu

FISSEA Conference 2010 Presentation - Using a Risk-Based ... · FISSEA Conference 2010 Presentation - Using a Risk-Based Approach to Align Security Architecture with the Business

FISSEA Security Awareness, Training, & Education …...FISSEA Security Awareness, Training, & Education Contest Entry Form Please review rules before completing entry form including