Upload
german-delgadillo
View
216
Download
0
Embed Size (px)
Citation preview
8/3/2019 QualysGuard Was Guide
1/8
Table of Contents
I. Summary
II. Primer on Web App Security
III. Types o Web App Vulnerabilities
IV. Detecting Web App Vulnerabilities
V. QualysGuard WAS Automates
Detection o Vulnerabilities
IV. Protect Your Web Applications
V. About Qualys
2
2
3
5
6
7
8
guide:
Web Application Security
How to Minimize Prevalent Risk
o Attacks
8/3/2019 QualysGuard Was Guide
2/8
page 2Web Application Security: How to Minimize Prevalent Risks of Attack
Summary
Vulnerabilities in web applications are now the largest vector o enterprise security
attacks. Last year, almost 55% o vulnerability disclosures aected web applications.1
At year end, 74% o web application vulnerabilities had no available patch or
remediation, according to that report. Stories about exploits that compromise
sensitive data requently mention culprits such as cross-site scripting, SQL
injection, and buer overow. Vulnerabilities like these all oten outside the
traditional expertise o network security managers. The relative obscurity o web
application vulnerabilities thus makes them useul or attacks. As many organizations
have discovered, these attacks will evade traditional enterprise network deenses
unless you take new precautions. To help you understand how to minimize these
risks, Qualys provides this guide as a primer to web application security. The guide
surveys typical web application vulnerabilities, compares options or detection, and
introduces the QualysGuard Web Application Scanning solution a new on demand
service rom Qualys that automates detection o the most prevalent vulnerabilities
in custom web applications.
Primer on Web Application Security
Attacks on vulnerabilities in web applications began appearing almost rom the
beginning o the World Wide Web, in the mid-1990s. Attacks are usually based on
ault injection, which exploits vulnerabilities in a web applications syntax and
semantics. Using a standard browser and basic knowledge o HTTP and HTML, an
attacker attempts a particular exploit by automatically varying a Uniorm Resource
Indicator (URI) link, which in turn could trigger an exploit such as SQL injection or
cross-site scripting.
http://example/oo.cgi?a=1
http://example/oo.cgi?a=1 < SQL Injection
http://example/oo.cgi?a= < Cross-site Scripting (XSS)
Some attacks attempt to alter logical workow. Attackers also execute these by
automatically varying a URI.
http://example/oo.cgi?admin=alse
http://example/oo.cgi?admin=true < Increase privileges
A signifcant number o attacks exploit vulnerabilities in syntax and semantics. You
can discover many o these vulnerabilities with an automated scanning tool.
Logical vulnerabilities are very difcult to test with a scanning tool; these require
manual inspection o web application source code analysis and security testing.
Web application security vulnerabilities usually stem rom programming errors with
a web application programming language (e.g., Java, .NET, PHP, Python, Perl, and
Ruby), a code library, design pattern, or architecture.
1 IBM ISS X-Force 2008 Trend & Risk Report http://www-935.ibm.com/services/us/iss/xforce/trendreports/xforce-2008-annu al-report.pdf
8/3/2019 QualysGuard Was Guide
3/8
page 3Web Application Security: How to Minimize Prevalent Risks of Attack
These vulnerabilities can be complex and may occur under many circumstances.
Using a web application frewall might control eects o some exploits but will not
resolve the underlying vulnerabilities.
Types of Web Application Vulnerabilities
Web applications may have any o two dozen types o vulnerabilities. Security
consultants who do penetration testing may ocus on fnding top vulnerabilities,
such as those in a list published by the Open Web Application Security Project
(www.owasp.org). Other eorts to systematically organize web application
vulnerabilities include six categories published by the Web Application Security
Consortium (www.webappsec.org). The ollowing descriptions o web vulnerabilities
are modeled on the WASC schema.
Authentication stealing user account identities
nBrute Force attack automates a process o trial and error to guess a
persons username, password, credit-card number or cryptographic key.
nInsucient Authentication permits an attacker to access sensitive
content or unctionality without proper authentication.
nWeak Password Recovery Validation permits an attacker to illegally
obtain, change or recover another users password.
Authorization illegal access to applications
nCredential / Session Prediction is a method o hijacking or impersonating
a user.
n Insucient Authorization permits access to sensitive content or
unctionality that should require more access control restrictions.
nInsucient Session Expiration permits an attacker to reuse old session
credentials or session IDs or authorization.
nSession Fixation attacks orce a users session ID to an explicit value.
Enterprise-class web application
scanning solutions are broader, and
should include a wide range of tests
for major web application vulnerability
classes, such as SQL injection,
cross-site scripting, and directory
traversals. The OWASP Top 10 is a
good starting list of major vulnerabil
ities, but an enterprise class solution
shouldnt limit itself to just one list or
category of vulnerabilities. An enter-
prise solution should also be capable
of scanning multiple applications,
tracking results over time, providing
robust reporting (especially compli-
ance reports), and providing reports
customized for local requirements.
Building a Web Application SecurityProgram Whitepaper
Securosis.com
8/3/2019 QualysGuard Was Guide
4/8
page 4Web Application Security: How to Minimize Prevalent Risks of Attack
Client-side Attacks illegal execution o oreign code
nContent Spoong tricks a user into believing that certain content appearing on a web site is legitimate and not
rom an external source.
nCross-site Scripting (XSS) orces a web site to echo attacker-supplied executable code, which loads into a
users browser.
Command Execution hijacks control o web application
nBuer Overfow attacks alter the ow o an application by overwriting parts o memory.
nFormat String Attackalters the ow o an application by using string ormatting library eatures to access other
memory space.
nLDAP Injection attacks exploit web sites by constructing LDAP statements rom user-supplied input.
nOS Commanding executes operating system commands on a web site by manipulating application input.
nSQL Injection constructs illegal SQL statements on a web site application rom user-supplied input.
nSSI Injection (also called Server-side Include) sends code into a web application, which is later executed locally
by the web server.
nXPath Injection constructs XPath queries rom user-supplied input.
Inormation Disclosure shows sensitive data to attackers
nDirectory Indexing is an automatic directory listing / indexing web server unction that shows all fles in a
requested directory i the normal base fle is not present.
nInormation Leakage occurs when a web site reveals sensitive data such as developer comments or error
messages, which may aid an attacker in exploiting the system.
nPath Traversalorces access to fles, directories and commands that potentially reside outside the web
document root directory.
nPredictable Resource Location uncovers hidden web site content and unctionality.
8/3/2019 QualysGuard Was Guide
5/8
page 5Web Application Security: How to Minimize Prevalent Risks of Attack
The number of vulnerabilities affect-
ing Web applications has grown at a
staggering rate. In 2008, vulnerabili-
ties affecting Web server applications
accounted for 54 percent of all vul-
nerability disclosures and were one
of the primary factors in the overall
growth of vulnerability disclosures
during the year.
IBM X-Force 2008 Trend & Risk Report
Logical Attacks interere with application usage
nAbuse o Functionalityuses a web sites own eatures and unctionality to
consume, deraud or circumvent access control mechanisms.
nDenial o Service (DoS) attacks prevent a web site rom serving normal
user activity.
nInsucient Anti-automation is when a web site permits an attacker to
automate a process that should only be perormed manually.
nInsucient Process Validation permits an attacker to bypass or
circumvent the intended ow o an application.
Detecting Web Application Vulnerabilities
There is no silver bullet to detecting web application vulnerabilities. The strategy
or their detection is identical to the multi-layer approach used or security on a
network. Detection and remediation o some vulnerabilities requires source code
analysis, particularly or complex enterprise-scale web applications. Detection o
other vulnerabilities may also require on-site penetration testing. As mentioned
earlier, the most prevalent web application vulnerabilities can also be detected with
an automated scanner.
An automated web application vulnerability scanner both supplements and
complements manual orms o testing. It provides fve key benefts:
n Lowers total cost o operations by automating repeatable testing processes
n Identifes vulnerabilities o syntax and semantics in custom web applications
n Perorms authenticated crawling
n Profles the target application
n Ensures accuracy by eective reduction o alse positives and alse negatives
A scanner does not have access to a web applications source code, so the only
way it can detect vulnerabilities is by perorming likely attacks on the target
application. Time required or scanning varies, but doing a broad simulated attack
on an application takes signifcantly longer than doing a network vulnerability scan
against a single IP. A major requirement or a web application vulnerability scanner
is comprehensive coverage o the target applications unctionality. Incomplete
coverage will cause the scanner to overlook existing vulnerabilities.
8/3/2019 QualysGuard Was Guide
6/8
page 6Web Application Security: How to Minimize Prevalent Risks of Attack
QualysGuard WAS Automatically Detects
Major Web Application VulnerabilitiesThe QualysGuard Web Application Scanning (WAS) solution is an on demand
service integrated into the QualysGuard security and compliance Security-as-a-
Service (SaaS) suite. Use o the QualysGuard WAS presumes no specializedknowledge o web security. The service allows a network security or IT administrator
to execute comprehensive, accurate vulnerability scans on custom web applications
such as shopping carts, orms, login pages, and other types o dynamic content.
The broad scope o coverage ocuses tests on Web application security.
Key Benefts. WAS automates repeatable techniques used to identiy the most
prevalent web vulnerabilities, such as SQL injection and cross-site scripting. It
combines pattern recognition and observed behaviors to accurately identiy and
veriy vulnerabilities. The WAS service identifes and profles login orms, session
state, error pages, and other customized eatures o the target application even i
it extends across multiple web sites. This site profle data helps WAS to adapt to
changes as the web application matures. Adaptability enables the scanner to be
used against unknown or legacy web applications that may carry little inormation
about error pages or other behavior. As a result, WAS delivers highly accurate
detection and reduces alse positives. The automated nature o Web Application
Scanning enables regular testing that produces consistent results and easily scales
or large numbers o web sites.
Current Features. The table describes comprehensive capabilities in
QualysGuard WAS to assess and track web application vulnerabilities. Qualys
plans to add other eatures during Q2/Q3 2009.
Crawling & Link
Discovery
Embedded web crawler parses HTML and some
JavaScript to extract links. Automatically balances
breadth and depth o discovered links to crawl up to
5,000 links per web application.
Authentication HTTP Basic and NTLM server-based authentication.
Simple orm authentication.
Black List Prevents crawler rom visiting certain links in a web
application.
White List Instructs the crawler to only visit links explicitly defned
in this list.
Perormance
Tuning
User-determined bandwidth level or parallel scanning
to control impact on application perormance.
Sensitive Content Enables user-specifed expression search or content
in HTML, such as a Social Security Numbers.
8/3/2019 QualysGuard Was Guide
7/8
page 7Web Application Security: How to Minimize Prevalent Risks of Attack
Operations. QG WAS is delivered as an on demand service ully integrated with
the QualysGuard solutions already in use by thousands o customers or vulnerability
management and policy compliance. Users can manage web applications, launch
scans, and generate reports with the amiliar interace o the QualysGuard web
interace. WAS scans may be pre-scheduled or executed on demand. The WAS
service can be scaled to the largest web applications hosted anywhere in the
world. Account rights management allows an organization to centrally control
which web applications may be scanned by individual users.
Finally, with QualysGuard WAS, at least one person in your organization must be
responsible or managing remediation o vulnerabilities ound in your web applications.
Protect Your Web Applications
The QualysGuard Web Application Scanning service will help your organization
immediately begin identiying the most prevalent security vulnerabilities open tocriminal exploit. The scanner will be a powerul supplement to existing security
eorts such as source code analysis and penetration testing. The latter controls are
necessary, but QualysGuard WAS will automate detection testing or the majority o
threats the kinds you read about when data thieves breach confdential inorma-
tion via web applications. In addition to comprehensive testing and accurate
detection, QualysGuard WAS is cost eective. Just like QualysGuard, WAS is an
easy-to-use on demand service allowing administrators to execute scans without
any special knowledge o web application security.
Reports such as the Web Application Scorecard provide big-picture and drill-down
visibility on vulnerabilities or each web application
8/3/2019 QualysGuard Was Guide
8/8
page 8Web Application Security: How to Minimize Prevalent Risks of Attack
Qualys, the Qualys logo and QualysGuard are registered trademarks o Qualys, Inc. All other trademarks are the property o their respective owners. 03/09
www.qualys.com
QualysGuard WAS trials are available now. General public release is scheduled or
April 2009. I you would like a ree trial o the QualysGuard WAS, please contact
Qualys to get started.
About Qualys
Qualys, Inc. is the leading provider o on demand IT security risk and compliance
management solutions delivered as a service. Qualys Sotware-as-a-Service
solutions are deployed in a matter o hours anywhere in the world, providing
customers an immediate and continuous view o their security and compliance
postures. The QualysGuard service is used today by more than 3,500 organizations
in 85 countries, including 40 o the Fortune Global 100 and perorms more than
200 million IP audits per year. Qualys has the largest vulnerability management
deployment in the world at a Fortune Global 50 company. Qualys has established
strategic agreements with leading managed service providers and consulting
organizations including BT, Etisalat, Fujitsu, IBM, I(TS)2, LAC, SecureWorks,
Symantec, Tata Communications, TELUS and VeriSign.
For more inormation, please visitwww.qualys.com.
USA Qualys, Inc. 1600 Bridge Parkway, Redwood Shores, CA 94065 T: 1 (650) 801 6100 [email protected]
UK Qualys, Ltd. 224 Berwick Avenue, Slough, Berkshire, SL1 4QT T: +44 (0) 1753 872101
Germany Qualys GmbH Mnchen Airport, Terminalstrasse Mitte 18, 85356 Mnchen T: +49 (0) 89 97007 146
France Qualys Technologies Maison de la Dense, 7 Place de la Dense, 92400 Courbevoie T: +33 (0) 1 41 97 35 70
Japan Qualys Japan K.K. Paciic Century Place 8F, 1-11-1 Marunouchi, Chiyoda-ku, 100-6208 Tokyo T: +81 3 6860 8296
United Arab Emirates Qualys FZE P.O Box 10559, Ras Al Khaimah, United Arab Emirates T: +971 7 204 1225
China Qualys Hong Kong Ltd. Suite 1901, Tower B, TYG Center, C2 North Rd, East Third Ring Rd, Chaoyang District, Beijing T: +86 10 84417495