netscaler application firewall and owasp top ten –...
TRANSCRIPT
Page 1
Introduction
The Open Web Application Security Project (OWASP) released the OWASP Top 10 for 2013 for web application security. This list documents the most common web application vulnerabilities and is a great starting point to evaluate web security. Here we detail how to configure the NetScaler Application Firewall to mitigate these flaws. Application Firewall is available as an integrated module in the NetScaler Application Delivery Controller (Platinum Edition) as well as a complete range of appliances.
The full OWASP Top 10 document is available at OWASP_Top_Ten_Project.
OWASP Top-10 2013 NetScaler Features
A1- Injection Injection attack prevention (SQL or any other custom injections such as OS Command injection, XPath injection, and LDAP Injection), auto update signature feature
A2 - Broken Authentication and Session Management
AAA, Cookie Tampering protection, Cookie Proxying, Cookie Encryption, CSRF tagging, Use SSL
A3 - Cross Site Scripting (XSS) XSS Attack Prevention, Blocks all OWASP XSS cheat sheet attacks
NetScaler Application Firewall and OWASP Top Ten – 2013
Page 2
A4 - Insecure Direct Object References StartURL checks, AAA, Form protections, and Cookie tampering protections
A5 - Security Misconfiguration PCI reports, SSL features, Signature generation from vulnerability scan reports such as Ceznic, Qualys , and Whitehat. Additionally, very specific protections such as Cookie encryption, proxying, and tampering.
A6 - Sensitive Data Exposure Credit Card protection, Safe Commerce, Cookie proxying, and Cookie Encryption
A7 - Missing Function Level Access Control Authorization security feature within AAA module of NetScaler, StartURL, and ClosureURL
A8 - Cross Site Request Forgery CSRF form tagging, Referer header validation
A9 - Using Components with known Vulnerabilities
Vulnerability scan reports, Application Firewall Templates, and Custom Signatures
A10 - Unvalidated Redirects and Forwards Protections by policy control, field format protection configuration
A1 - Injection
Injection flaws such as SQL, OS, and LDAP injection occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.
NetScaler Protection
● SQL Injection prevention feature protects against common injection attacks. Custom injection patterns
can be uploaded to protect against any type of injection attack including XPath and LDAP. This is
applicable for both HTML and XML payloads.
● The auto update signature feature keeps the injection signatures up to date.
● Field format protection feature allows the administrator to restrict any user parameter to a regular
expression. For instance, you can enforce that a zip-code field contains integers only or even 5-digit
integers.
● Form field consistency: Validate each submitted user form against the user session form signature to
ensure validity of all form elements.
● Buffer overflow checks ensure that the URL, headers, and cookies are in the right limits blocking any
attempts to inject large scripts or code.
Page 3
A2 - Broken Authentication and Session Management
Application functions related to authentication and session management are often not implemented correctly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities.
NetScaler Protections
● NetScaler AAA module performs user authentication and provides Single Sign-On functionality to
backend applications. This is integrated into NetScaler AppExpert policy engine to allow custom
policies based on user and group information.
● Additionally, using the Cookie tampering protection feature, session ID commonly stored in cookies
can be protected. Using SSL offloading and URL transformation capabilities, the firewall can also help
sites to use secure transport layer protocols to prevent stealing of session tokens by network sniffing.
● Cookie Proxying and Cookie Encryption can be employed to completely mitigate cookie stealing and
hence securing the session.
A3 - Cross Site Scripting ( XSS )
XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation or escaping. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.
NetScaler Protections
● XSS protection protects against common XSS attacks. Custom XSS patterns can be uploaded to modify
the default list of allowed tags and attributes. The NetScaler Application Firewall uses a white list of
allowed HTML attributes and tags to detect XSS attacks. This is applicable for both HTML and XML
payloads.
● NetScaler Application Firewall blocks all the attacks listed in OWASP XSS Filter Evaluation Cheat Sheet.
● Field format check prevents an attacker from sending inappropriate web form data which can be a
potential XSS attack.
● Form field consistency.
A4 - Insecure Direct Object References
A direct object reference occurs when a developer exposes a reference to an internal implementation object such as a file, directory, or database key. Without an access control check or other protection, attackers can manipulate these references to access unauthorized data.
Page 4
NetScaler Protections
● Start URL check with URL closure: Allows user access to a predefined white list of URLs. URL closure
builds a list of all URLs seen in valid responses during the user session and automatically allows access
to them during that session.
● AAA feature that supports authentication, authorization, and auditing for all application traffic allows a
site administrator to manage access controls with the NetScaler appliance.
● Form field consistency: If object references are stored as hidden fields in forms, then using form field
consistency you can validate that these fields are not tampered on subsequent requests.
● Cookie Proxying and Cookie consistency: Object references that are stored in cookie values can be
validated with these protections.
A5 - Security Misconfiguration
Good security requires having a secure configuration defined and deployed for the application, frameworks, application server, web server, database server, and platform. Secure settings should be defined, implemented, and maintained as defaults are often insecure. Additionally, software should be kept up to date.
NetScaler Protections
● The PCI-DSS report generated by the Application Firewall, documents the security settings on the
Firewall device.
● Reports from the scanning tools are converted to NetScaler Signatures to handle security
misconfigurations.
● NetScaler Application Firewall supports Cenzic, IBM AppScan (Enterprise and Standard), Qualys,
TrendMicro, WhiteHat, and custom vulnerability scan reports.
A6 - Sensitive Data Exposure
Many web applications do not properly protect sensitive data such as credit cards, tax IDs, and authentication credentials. Attackers might steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data deserves extra protection such as encryption at rest or in transit, as well as special precautions when exchanged with the browser.
NetScaler Protection
● Application Firewall protects applications from leaking sensitive data like credit card details.
● Sensitive data can be configured as Safe objects in Safe Commerce protection to avoid exposure.
● Any sensitive data in cookies can be protected by Cookie Proxying and Cookie Encryption.
Page 5
A7 - Missing Function Level Access Control
Most web applications verify function level access rights before making that functionality visible in the User Interface (UI). However, applications need to perform the same access control checks on the server when each function is accessed. If requests are not verified, then attackers will be able to forge requests to access functionality without proper authorization.
NetScaler Protections
● The Authorization security feature within AAA module of NetScaler appliance enables the appliance to
verify, which content on a protected server it should allow each user to access.
● Additionally, StartURL and ClosureURL features can be used to provide restricted access to server.
A8 - Cross Site Request Forgery
A CSRF attack forces a logged-on victim’s browser to send a forged HTTP request, including the victim’s session cookie and any other automatically included authentication information, to a vulnerable web application. This allows the attacker to force the victim’s browser to generate requests, which the vulnerable application thinks are legitimate requests from the victim.
NetScaler Protections
● CSRF Tagging: This adds a unique token to each form sent to a user and validates the token on
subsequent submissions.
● Referrer headers can be validated to ensure that the requests were generated from within the site.
● Referrer header check in coordination with URL Closure feature can prevent CSRF.
A9 - Using Components with Known Vulnerabilities
Components such as libraries, frameworks, and other software modules, almost always run with full privileges. If a vulnerable component is exploited, then such an attack can facilitate serious data loss or server takeover. Applications using components with known vulnerabilities might undermine application defenses and enable a range of possible attacks and impacts.
NetScaler Protections
● Citrix recommends to have the third party components up to date.
● Vulnerability scan reports that are converted to NetScaler Signatures can be used to virtually patch
these components.
● Application Firewall templates that are available for these vulnerable components can be used.
● Custom Signatures can be bound with firewall to protect these components.
Page 6
A10 - Unvalidated Redirects and Forwards
Web applications frequently redirect and forward users to other pages and web sites, and use untrusted data to determine the destination pages. Without proper validation, attackers can redirect victims to phishing or malware sites, or use forwards to access unauthorized pages.
NetScaler Protections
On all incoming requests do,
● Field format protection: Specify that the parameter containing the URL for redirection or forward is
restricted to valid allowed domains.
● Referrer header check: To reduce phishing attacks, validate the referrer header on incoming requests.
● Use AAA authorization policies to ensure that access to specific URLs is authorized.
On the Redirect responses,
● Use Responder policies to ensure that 302 redirects are allowed to valid domains only.
● Use URL transform or rewrite policies to transform all 302 redirects to specific allowed domains.
Additional Resources
Download and try the Application Firewall in NetScaler VPX virtual appliance with a free 90-day
Platinum Edition evaluation license today. NetScaler Product documentation. Follow us on Twitter and join the Citrix community.
About Citrix
Citrix (NASDAQ:CTXS) is the cloud company that enables mobile workstyles—empowering people to work and collaborate from anywhere, easily
and securely. With market-leading solutions for mobility, desktop virtualization, cloud networking, cloud platforms, collaboration and data sharing,
Citrix helps organizations achieve the speed and agility necessary to succeed in a mobile and dynamic world. Citrix products are in use at more than
260,000 organizations and by over 100 million users globally. Annual revenue in 2012 was $2.59 billion. Learn more at www.citrix.com.
Copyright © 2013 Citrix Systems, Inc. All rights reserved. Citrix, the Citrix logo, Citrix NetScaler, and other Citrix product names are trademarks of Citrix Systems, Inc. All other product names, company names, marks, logos, and symbols are trademarks of their respective owners.