QualysGuard Was Guide

8/3/2019 QualysGuard Was Guide

1/8

Table of Contents

I. Summary

II. Primer on Web App Security

III. Types o Web App Vulnerabilities

IV. Detecting Web App Vulnerabilities

V. QualysGuard WAS Automates

Detection o Vulnerabilities

IV. Protect Your Web Applications

V. About Qualys

2

2

3

5

6

7

8

guide:

Web Application Security

How to Minimize Prevalent Risk

o Attacks


2/8

page 2Web Application Security: How to Minimize Prevalent Risks of Attack

Summary

Vulnerabilities in web applications are now the largest vector o enterprise security

attacks. Last year, almost 55% o vulnerability disclosures aected web applications.1

At year end, 74% o web application vulnerabilities had no available patch or

remediation, according to that report. Stories about exploits that compromise

sensitive data requently mention culprits such as cross-site scripting, SQL

injection, and buer overow. Vulnerabilities like these all oten outside the

traditional expertise o network security managers. The relative obscurity o web

application vulnerabilities thus makes them useul or attacks. As many organizations

have discovered, these attacks will evade traditional enterprise network deenses

unless you take new precautions. To help you understand how to minimize these

risks, Qualys provides this guide as a primer to web application security. The guide

surveys typical web application vulnerabilities, compares options or detection, and

introduces the QualysGuard Web Application Scanning solution a new on demand

service rom Qualys that automates detection o the most prevalent vulnerabilities

in custom web applications.

Primer on Web Application Security

Attacks on vulnerabilities in web applications began appearing almost rom the

beginning o the World Wide Web, in the mid-1990s. Attacks are usually based on

ault injection, which exploits vulnerabilities in a web applications syntax and

semantics. Using a standard browser and basic knowledge o HTTP and HTML, an

attacker attempts a particular exploit by automatically varying a Uniorm Resource

Indicator (URI) link, which in turn could trigger an exploit such as SQL injection or

cross-site scripting.

http://example/oo.cgi?a=1

http://example/oo.cgi?a=1 < SQL Injection

http://example/oo.cgi?a= < Cross-site Scripting (XSS)

Some attacks attempt to alter logical workow. Attackers also execute these by

automatically varying a URI.

http://example/oo.cgi?admin=alse

http://example/oo.cgi?admin=true < Increase privileges

A signifcant number o attacks exploit vulnerabilities in syntax and semantics. You

can discover many o these vulnerabilities with an automated scanning tool.

Logical vulnerabilities are very difcult to test with a scanning tool; these require

manual inspection o web application source code analysis and security testing.

Web application security vulnerabilities usually stem rom programming errors with

a web application programming language (e.g., Java, .NET, PHP, Python, Perl, and

Ruby), a code library, design pattern, or architecture.

1 IBM ISS X-Force 2008 Trend & Risk Report http://www-935.ibm.com/services/us/iss/xforce/trendreports/xforce-2008-annu al-report.pdf


3/8


These vulnerabilities can be complex and may occur under many circumstances.

Using a web application frewall might control eects o some exploits but will not

resolve the underlying vulnerabilities.

Types of Web Application Vulnerabilities

Web applications may have any o two dozen types o vulnerabilities. Security

consultants who do penetration testing may ocus on fnding top vulnerabilities,

such as those in a list published by the Open Web Application Security Project

(www.owasp.org). Other eorts to systematically organize web application

vulnerabilities include six categories published by the Web Application Security

Consortium (www.webappsec.org). The ollowing descriptions o web vulnerabilities

are modeled on the WASC schema.

Authentication stealing user account identities

nBrute Force attack automates a process o trial and error to guess a

persons username, password, credit-card number or cryptographic key.

nInsucient Authentication permits an attacker to access sensitive

content or unctionality without proper authentication.

nWeak Password Recovery Validation permits an attacker to illegally

obtain, change or recover another users password.

Authorization illegal access to applications

nCredential / Session Prediction is a method o hijacking or impersonating

a user.

n Insucient Authorization permits access to sensitive content or

unctionality that should require more access control restrictions.

nInsucient Session Expiration permits an attacker to reuse old session

credentials or session IDs or authorization.

nSession Fixation attacks orce a users session ID to an explicit value.

Enterprise-class web application

scanning solutions are broader, and

should include a wide range of tests

for major web application vulnerability

classes, such as SQL injection,

cross-site scripting, and directory

traversals. The OWASP Top 10 is a

good starting list of major vulnerabil

ities, but an enterprise class solution

shouldnt limit itself to just one list or

category of vulnerabilities. An enter-

prise solution should also be capable

of scanning multiple applications,

tracking results over time, providing

robust reporting (especially compli-

ance reports), and providing reports

customized for local requirements.

Building a Web Application SecurityProgram Whitepaper

Securosis.com


4/8


Client-side Attacks illegal execution o oreign code

nContent Spoong tricks a user into believing that certain content appearing on a web site is legitimate and not

rom an external source.

nCross-site Scripting (XSS) orces a web site to echo attacker-supplied executable code, which loads into a

users browser.

Command Execution hijacks control o web application

nBuer Overfow attacks alter the ow o an application by overwriting parts o memory.

nFormat String Attackalters the ow o an application by using string ormatting library eatures to access other

memory space.

nLDAP Injection attacks exploit web sites by constructing LDAP statements rom user-supplied input.

nOS Commanding executes operating system commands on a web site by manipulating application input.

nSQL Injection constructs illegal SQL statements on a web site application rom user-supplied input.

nSSI Injection (also called Server-side Include) sends code into a web application, which is later executed locally

by the web server.

nXPath Injection constructs XPath queries rom user-supplied input.

Inormation Disclosure shows sensitive data to attackers

nDirectory Indexing is an automatic directory listing / indexing web server unction that shows all fles in a

requested directory i the normal base fle is not present.

nInormation Leakage occurs when a web site reveals sensitive data such as developer comments or error

messages, which may aid an attacker in exploiting the system.

nPath Traversalorces access to fles, directories and commands that potentially reside outside the web

document root directory.

nPredictable Resource Location uncovers hidden web site content and unctionality.


5/8


The number of vulnerabilities affect-

ing Web applications has grown at a

staggering rate. In 2008, vulnerabili-

ties affecting Web server applications

accounted for 54 percent of all vul-

nerability disclosures and were one

of the primary factors in the overall

growth of vulnerability disclosures

during the year.

IBM X-Force 2008 Trend & Risk Report

Logical Attacks interere with application usage

nAbuse o Functionalityuses a web sites own eatures and unctionality to

consume, deraud or circumvent access control mechanisms.

nDenial o Service (DoS) attacks prevent a web site rom serving normal

user activity.

nInsucient Anti-automation is when a web site permits an attacker to

automate a process that should only be perormed manually.

nInsucient Process Validation permits an attacker to bypass or

circumvent the intended ow o an application.

Detecting Web Application Vulnerabilities

There is no silver bullet to detecting web application vulnerabilities. The strategy

or their detection is identical to the multi-layer approach used or security on a

network. Detection and remediation o some vulnerabilities requires source code

analysis, particularly or complex enterprise-scale web applications. Detection o

other vulnerabilities may also require on-site penetration testing. As mentioned

earlier, the most prevalent web application vulnerabilities can also be detected with

an automated scanner.

An automated web application vulnerability scanner both supplements and

complements manual orms o testing. It provides fve key benefts:

n Lowers total cost o operations by automating repeatable testing processes

n Identifes vulnerabilities o syntax and semantics in custom web applications

n Perorms authenticated crawling

n Profles the target application

n Ensures accuracy by eective reduction o alse positives and alse negatives

A scanner does not have access to a web applications source code, so the only

way it can detect vulnerabilities is by perorming likely attacks on the target

application. Time required or scanning varies, but doing a broad simulated attack

on an application takes signifcantly longer than doing a network vulnerability scan

against a single IP. A major requirement or a web application vulnerability scanner

is comprehensive coverage o the target applications unctionality. Incomplete

coverage will cause the scanner to overlook existing vulnerabilities.


6/8


QualysGuard WAS Automatically Detects

Major Web Application VulnerabilitiesThe QualysGuard Web Application Scanning (WAS) solution is an on demand

service integrated into the QualysGuard security and compliance Security-as-a-

Service (SaaS) suite. Use o the QualysGuard WAS presumes no specializedknowledge o web security. The service allows a network security or IT administrator

to execute comprehensive, accurate vulnerability scans on custom web applications

such as shopping carts, orms, login pages, and other types o dynamic content.

The broad scope o coverage ocuses tests on Web application security.

Key Benefts. WAS automates repeatable techniques used to identiy the most

prevalent web vulnerabilities, such as SQL injection and cross-site scripting. It

combines pattern recognition and observed behaviors to accurately identiy and

veriy vulnerabilities. The WAS service identifes and profles login orms, session

state, error pages, and other customized eatures o the target application even i

it extends across multiple web sites. This site profle data helps WAS to adapt to

changes as the web application matures. Adaptability enables the scanner to be

used against unknown or legacy web applications that may carry little inormation

about error pages or other behavior. As a result, WAS delivers highly accurate

detection and reduces alse positives. The automated nature o Web Application

Scanning enables regular testing that produces consistent results and easily scales

or large numbers o web sites.

Current Features. The table describes comprehensive capabilities in

QualysGuard WAS to assess and track web application vulnerabilities. Qualys

plans to add other eatures during Q2/Q3 2009.

Crawling & Link

Discovery

Embedded web crawler parses HTML and some

JavaScript to extract links. Automatically balances

breadth and depth o discovered links to crawl up to

5,000 links per web application.

Authentication HTTP Basic and NTLM server-based authentication.

Simple orm authentication.

Black List Prevents crawler rom visiting certain links in a web

application.

White List Instructs the crawler to only visit links explicitly defned

in this list.

Perormance

Tuning

User-determined bandwidth level or parallel scanning

to control impact on application perormance.

Sensitive Content Enables user-specifed expression search or content

in HTML, such as a Social Security Numbers.


7/8


Operations. QG WAS is delivered as an on demand service ully integrated with

the QualysGuard solutions already in use by thousands o customers or vulnerability

management and policy compliance. Users can manage web applications, launch

scans, and generate reports with the amiliar interace o the QualysGuard web

interace. WAS scans may be pre-scheduled or executed on demand. The WAS

service can be scaled to the largest web applications hosted anywhere in the

world. Account rights management allows an organization to centrally control

which web applications may be scanned by individual users.

Finally, with QualysGuard WAS, at least one person in your organization must be

responsible or managing remediation o vulnerabilities ound in your web applications.

Protect Your Web Applications

The QualysGuard Web Application Scanning service will help your organization

immediately begin identiying the most prevalent security vulnerabilities open tocriminal exploit. The scanner will be a powerul supplement to existing security

eorts such as source code analysis and penetration testing. The latter controls are

necessary, but QualysGuard WAS will automate detection testing or the majority o

threats the kinds you read about when data thieves breach confdential inorma-

tion via web applications. In addition to comprehensive testing and accurate

detection, QualysGuard WAS is cost eective. Just like QualysGuard, WAS is an

easy-to-use on demand service allowing administrators to execute scans without

any special knowledge o web application security.

Reports such as the Web Application Scorecard provide big-picture and drill-down

visibility on vulnerabilities or each web application


8/8


Qualys, the Qualys logo and QualysGuard are registered trademarks o Qualys, Inc. All other trademarks are the property o their respective owners. 03/09

www.qualys.com

QualysGuard WAS trials are available now. General public release is scheduled or

April 2009. I you would like a ree trial o the QualysGuard WAS, please contact

Qualys to get started.

About Qualys

Qualys, Inc. is the leading provider o on demand IT security risk and compliance

management solutions delivered as a service. Qualys Sotware-as-a-Service

solutions are deployed in a matter o hours anywhere in the world, providing

customers an immediate and continuous view o their security and compliance

postures. The QualysGuard service is used today by more than 3,500 organizations

in 85 countries, including 40 o the Fortune Global 100 and perorms more than

200 million IP audits per year. Qualys has the largest vulnerability management

deployment in the world at a Fortune Global 50 company. Qualys has established

strategic agreements with leading managed service providers and consulting

organizations including BT, Etisalat, Fujitsu, IBM, I(TS)2, LAC, SecureWorks,

Symantec, Tata Communications, TELUS and VeriSign.

For more inormation, please visitwww.qualys.com.

USA Qualys, Inc. 1600 Bridge Parkway, Redwood Shores, CA 94065 T: 1 (650) 801 6100 [email protected]

UK Qualys, Ltd. 224 Berwick Avenue, Slough, Berkshire, SL1 4QT T: +44 (0) 1753 872101

Germany Qualys GmbH Mnchen Airport, Terminalstrasse Mitte 18, 85356 Mnchen T: +49 (0) 89 97007 146

France Qualys Technologies Maison de la Dense, 7 Place de la Dense, 92400 Courbevoie T: +33 (0) 1 41 97 35 70

Japan Qualys Japan K.K. Paciic Century Place 8F, 1-11-1 Marunouchi, Chiyoda-ku, 100-6208 Tokyo T: +81 3 6860 8296

United Arab Emirates Qualys FZE P.O Box 10559, Ras Al Khaimah, United Arab Emirates T: +971 7 204 1225

China Qualys Hong Kong Ltd. Suite 1901, Tower B, TYG Center, C2 North Rd, East Third Ring Rd, Chaoyang District, Beijing T: +86 10 84417495

Documents

QualysGuard Was Guide