web application security with appwall

Web Applications Security Overview and Radware

AppWall Solution

White Paper

November 2008

Web Applications Security Overview and Radware AppWall Solution | White Paper | Page 2

Table of Contents

1. Preface ................................................................................................................. 3

1.1. General ......................................................................................................................... 3

1.2. Target Audience ............................................................................................................ 3

2. Introduction to Web Applications Security ............................................................... 4

2.1. Web Applications Security Overview.............................................................................. 4

2.2. HTTP: The Internet Protocol .......................................................................................... 4

2.2.1. Background on HTTP ..............................................................................................................4

2.2.2. HTTP Methods ........................................................................................................................5

2.3. Security Issues, Hackers and Threats............................................................................ 6

2.3.1. OWASP Top Ten Vulnerabilities Classification .......................................................................6

2.3.2. WASC Web Security Attack Classification ..............................................................................8

2.3.3. Unclassified Application-Layer Attack Types ...........................................................................9

3. Complete Threat Protection with AppWall ............................................................. 11


1. Preface

1.1. General

Enabling organizational processes and applications for the Internet is a critical

requirement in todays business landscape. As a result, strong network level protection against attacks, such as firewalls and intrusion detection systems, is mandatory in all

enterprise Web Application environments, as such threats impose real risk and high costs.

However, hacking techniques are now designed to legitimately access a Web Application and attack back-end systems using transactions that appear to be normal. These well

publicized Web application level attack techniques cannot be detected by network

firewalls and intrusion detection systems. Web Application attacks pass through unchecked, enabling access to sensitive information and systems. In addition, since this

entire activity looks like perfectly legitimate Internet traffic, the network security team is

completely unaware of these attacks unless someone happens to notice their effects.

This paper provides an overview of Web Application Security and discusses the following

topics:

Introduction to Web Application Security - describes Web Application security, including an overview of HTTP and its related security issues, hackers and threats

currently at play in the Web Application industry and more

Complete Threat Protection with Radware AppWall - discusses the various protection techniques provided by AppWall

1.2. Target Audience

This paper is intended for IT professionals who are responsible for the implementation of

a Web Applications security policy in their organization. This guide takes the reader

through basic initial steps in order to start working with AppWall to leveraging more advanced AppWall configurations, depending on the readers requirements.

It is assumed that readers of this guide are familiar with many of the concepts and terms

used throughout the Web Application Security industry.


2. Introduction to Web Applications Security

2.1. Web Applications Security Overview

We at Radware refer to Web Application Security as making use of software and hardware

to protect Web Applications from internal and external threats.

As the tools and technology approaches used to create Web Applications rapidly change, developers tend to spend more time in implementing these tools and technologies, and

less time implementing security in the application. An application that has been developed with security in mind minimizes holes and backdoors to the application. These

holes and backdoors leave the application vulnerable to potential hackers.

Security is becoming an increasingly important concern during development as

applications become more frequently accessible over networks and are, as a result, vulnerable to a wide variety of application-layer threats.

Hacking or attacking Web Applications is a security domain which has no limits as to the

number of methods and techniques that can be used to gain illegal access, manipulate information, or cause damage to an enterprise. As these methods and techniques

develop, it is our aim to develop means and techniques through advanced technology to prevent harm to an application.

The following sections provide in-depth information about HTTP, the main protocol used to

deliver files and data across the Internet, as well as information on the known threats, vulnerabilities and attack types as they are classified today by Security authorities such as

the FBI, SANS (SysAdmin, Audit, Network, Security) Institute, WASC (Web Application

Security Consortium) and OWASP (Open Web Application Security Project).

2.2. HTTP: The Internet Protocol

Hypertext Transfer Protocol (HTTP) is perhaps the most significant protocol used on the

Internet today. Web services, network-enabled appliances and the growth of network computing continue to expand the role of the HTTP protocol beyond user-driven Web

browsers, while increasing the number of applications that require HTTP support.

2.2.1. Background on HTTP

HTTP is the network protocol used to deliver virtually all files and other data (collectively

referred as resources) on the World Wide Web, including HTML files, image files, query

results, or using any other format.

A browser, known as an HTTP client, sends requests to an HTTP server (Web server),

which then sends responses back to the client. HTTP usually takes place over TCP


connections, usually using port 80, though this can be overridden so that another port is

used.

After a successful connection, the client transmits a request message to the server, which sends a reply message back. The simplest HTTP message is "GET ", to which the

server replies by sending the named document. If the document does not exist, the server

will send an HTML-encoded message stating that.

HTTP is used to transmit resources, not just files. A resource is a chunk of information

that can be identified by a Uniform Resource Locator (URL - resources are the R in URL).

The most common type of resource is a file, but a resource may also be a dynamically-generated query result, the output of a CGI script, the output of a PHP or any other

dynamic Web scripting language, Java servlets, a document that is available in several

languages, or something else.

2.2.2. HTTP Methods

HTTP defines eight methods (sometimes referred to as "verbs"), indicating the desired

action to be performed on the identified resource, as follows:

HEAD: Asks for the response identical to the one that would correspond to a GET request, but without the response body. This is useful for retrieving meta-information written in response headers, without having to transport the entire

content.

GET: Requests a representation of the specified resource. This method is by far the most common method used on the Web today. GET should not be used for

operations that cause side-effects (using it for actions in Web Applications is a

common misuse).

POST: Submits data to be processed (for example, from an HTML form) to the identified resource. The data is included in the body of the request. This may result in the creation of a new resource or the updates of existing resources or

both.

PUT: Uploads a representation of the specified resource.

DELETE: Deletes a specified resource.

TRACE: Echoes back the received request, so that a client can see which intermediate servers are adding or changing in the request.

OPTIONS: Returns the HTTP methods that the server supports for specified Universal Resource Identifier (URI). This can be used to check the functionality of

a Web server by requesting '*' instead of a specific resource.

CONNECT: Converts the request connection to a transparent TCP/IP tunnel, usually to facilitate SSL-encrypted communication (HTTPS) through an unencrypted HTTP proxy.


2.3. Security Issues, Hackers and Threats

This section describes the various security issues, hackers and threats that are regularly

monitored by industry communities such as OWASP and WASC, who produce widely agreed upon best-practice security standards for the World Wide Web.

2.3.1. OWASP Top Ten Vulnerabilities Classification

The following provides a description of the OWASP Top Ten:

The OWASP Top Ten provides a minimum standard for Web Application security. The OWASP Top Ten represents a broad consensus about what the most critical Web

Application security flaws are. Project members include a variety of security experts from

around the world who have shared their expertise to produce this list. OWASP urge all companies to adopt the standard within their organization and start the process of

ensuring that their Web Applications do not contain these flaws. Adopting the OWASP Top

Ten is perhaps the most effective first step towards changing the software development culture within your organization into one that produces secure code.

There may be many reasons why your Web Application may be vulnerable to one or more

of the OWASP Top Ten Security flaws. For example:

The Web Application in use by your enterprise may have been created using different types of technologies and software platforms.

The development personnel in your enterprise might not have had security in mind while developing the Web Application or may have left backdoors to the

application for maintenance. Furthermore, it is common that the development personnel have changed jobs or have failed to document the application

structure.

Important note: Your application is not susceptible to attack if it is not vulnerable.

Maintaining the application constantly and keeping up-to-date with vulnerability

information and fixing potential risks in the application must be considered a priority and not an unpleasant task.

The following table summarizes the Top Ten vulnerabilities in Web Application security as

classified by OWASP:


Vulnerability Class Summary Description

A1 - Cross Site Scripting (XSS) The Web Application can be used as a

mechanism to transport an attack to an end user's browser. A successful attack can disclose

the end users session token, attack the local

machine, or spoof content to fool the user.

A2 Injection Flaws Web Applications pass parameters when they access external systems or the local operating

system. If an attacker can embed malicious

commands in these parameters, the external system may execute those commands on

behalf of the Web Application.

A3 Malicious File Execution Code vulnerable to remote file inclusion (RFI)

allows attackers to include hostile code and data, resulting in devastating attacks, such as

total server compromise. Malicious file

execution attacks affect PHP, XML and any framework which accepts filenames or files

from users.

A4 Insecure Direct Object Reference A direct object reference occurs when a

developer exposes a reference to an internal implementation object, such as a file, directory,

database record, or key, as a URL or form

parameter. Attackers can manipulate those references to access other objects without

authorization.

A5 Cross Site Request Forgery (CSRF) A CSRF attack forces a logged-on users

browser to send a pre-authenticated request to a vulnerable Web Application, which then forces

the users browser to perform a hostile action to

the benefit of the attacker. CSRF can be as powerful as the Web Application that it attacks.

A6 Information Leakage and

Improper Error Handling

Applications can unintentionally leak

information about their configuration, internal

workings, or violate privacy through a variety of application problems. Attackers use this

weakness to steal sensitive data, or conduct

more serious attacks.

A7 Broken Authentication and Session Management

Account credentials and session tokens are often not properly protected. Attackers

compromise passwords, keys, or authentication

tokens to assume other users' identities.


Vulnerability Class Summary Description

A8 Insecure Cryptographic Storage Web Applications frequently use cryptographic

functions to protect information and credentials. These functions and the code to

integrate them have proven difficult to code

properly, frequently resulting in weak protection.

A9 Insecure Communications Applications frequently fail to encrypt network

traffic when it is necessary to protect sensitive

communications.

A10 Failure to Restrict URL Access Applications frequently only protect sensitive functionality by preventing the display of links

or URLs to unauthorized users. Attackers can

use this weakness to access and perform unauthorized operations by accessing those

URLs directly.

2.3.2. WASC Web Security Attack Classification

The Web Security Threat Classification is a cooperative effort to clarify and organize the threats for the security of a Web site. The members of the Web Application Security

Consortium (WASC) have created this project to develop and promote industry standard

terminology for describing these issues. Application developers, security professionals, software vendors, and compliance auditors will have the ability to access a consistent

language for web security related issues.

The WASC Threat Classification is broken-down to the following main classes:

1) Authentication Authentication threats includes attacks against validation methods used by Web Applications to validate users, services or applications. The threats that

target the authentication process of Web Applications include the following:

Brute Force Attacks

Insufficient Authentication

Weak Password Recovery Validation

2) Authorization Authorization threats includes attacks against the methods used by the Web Application to determine whether the user, service or application has the required permissions to perform actions. Potential hackers may attempt to

manipulate the Web Application to gain privileges to restricted areas and to perform

illegal actions. These threats include the following:

Credential/Session Prediction

Insufficient Authorization

Insufficient Session Expiration

Session Fixation


3) Client-Side Attacks Client-side attacks covers a wide range of Web Application manipulation and abuse. A potential hacker may attempt to utilize the technology

employed when a user connects to a Web Application to attack the user. These threats include:

Content spoofing

Cross-site scripting

4) Command Execution These threats involve attacks designed to execute remote commands on the Web Application. These attacks are generally aimed at user

supplied information, which are used to create commands that result in dynamic web content. With the process left insecure, an attacker could manipulate the command

execution. These threats include:

Buffer Overflow

Format String Attack

LDAP Injection

OS Commanding

SQL Injection

SSI Injection

XPath Injection

5) Information Disclosure - Information Disclosure threats cover attacks designed to obtain Web Application specific system information. This information usually includes software distribution, version numbers, patch level, etc. The information may also

include names and location of temp files, backup files and others. This information

may be gathered and used by a potential hacker in order to locate and exploit a backdoor or unprotected access point to the Web Application. These threats include:

Directory Indexing

Information Leakage

Path Traversal

Predictable Resource Location

6) Logical Attacks Logical Attack threats focus on the possible exploitation of Web Application logic flow, by a potential hacker. Application logic is a term that describes the procedure used by the application to perform a specific action. For example,

account registration, recovering passwords, online purchases, etc. A hacker may

bypass a specific process required by the application; hence find a way to damage users or the application. These threats include:

Abuse of Functionality

Denial of Service

Insufficient Anti-Automation

Insufficient Process Validation

2.3.3. Unclassified Application-Layer Attack Types

The following table highlights attack forms that are not classified by any particular

organization, yet they exist. These attack forms may appear as part of any of the above

classifications, or may be a result of a different class completely.


Forms of Attack Brief Description

Parameters Tampering Manipulating elements in the URL sent to a Web site in

order to gain illegal access or unauthorized information.

By manipulating the parameters in the request, a

potential hacker can then navigate and modify its

contents.

Cookie Poisoning Changes the content of cookies from what was originally set by the application and can forge a cookie with stolen

information.

Database Sabotage Injects various SQL commands to input fields or

messages that affect the regular operation of the database.

Web Services Manipulation Exploiting vulnerabilities inherent in Web Services formats, structure, and operations as well as dictionary,

and encoding manipulations.

Stealth Commanding Smuggles command-statements in text fields that will be

executed within a given layer of the infrastructure.

Debug Options Exploits vulnerabilities left open in internally developed

code by using debug constructs.

Backdoor Uses the privileged/un-referenced access that applications may provide. These are points of access to

the Web Application that were not intended to be

discovered by un-trusted users. Some backdoors were intended only to be used during the application

development stage but were never removed when the

application was deployed.

Manipulation of IT Infrastructure Vulnerabilities

Exploits vulnerabilities in an integrated Internet environment, such as known patterns and common files

and folders.

3rd-Party Misconfiguration Exploits configuration errors in third-party components,

such as Web and database servers.

Buffer Overflow Attacks Sends large request messages to the application,

attacking either third party or internally developed code.

Data Encoding Sends requests using different data encoding standards such as Unicode, UTF-8, and UTF-16. Targets variations in

data encoding to pass and execute commands within

specific layers of the operating environment.

Protocol Piggyback Modifies the application protocol structure to include nested commands. Targets variations in protocols to pass

and execute commands within specific layers of the

operating environment.

Cross-Site Scripting (XSS) Attacks the end users browser to reveal the end users session token, attack the local machine or spoof content.


3. Complete Threat Protection with AppWall

This section describes the protection techniques AppWall provides (Security Filters) against the threats/attacks described in the previous sections.

Filter Name Filter Description Threats Protected Against

Parameters Security Filter

This filter evaluates parameters sent in requests against a configured list of

allowed (or not allowed) parameters

configured for pre-defined rules or range.

Parameters Tampering

Unvalidated Input

Buffer Overflow

Data Encoding Global

Parameters Security Filter

This filter evaluates request parameter

values by applying specified patterns, including regular expressions, to qualifying

parameters.


Unvalidated Input

Buffer Overflow

Data Encoding XML Security

Filter

This filter parses and evaluates the XML

body structure of requests as well as values encapsulated within the XML tags.

Parameter names are created using the

full hierarchy of nested tags containing each value. The created parameters are

evaluated by subsequent parameter-related Security Filters as defined on the

Application Path level.

Unvalidated Input

Buffer Overflow


Web Services

Security Filter

This filter evaluates Web Service requests

and generates an event when the request

violates valid WSDL operations. Valid operations can be determined by import

and examination of the WSDL file.

Unvalidated Input

Buffer Overflow


Web Services Manipulation

Session Security

Filter

This filter prevents remote users from

modifying the application parameter values stored in HTML forms, and to

prevent remote users from manipulating

Session state information and submitting it to the Web Application. The Session

Security Filter also protects Cookies, Path, Query, and Form parameters.

Broken Access Control

Broken Authentication and Session Management

Insecure Storage

Authorization

Cookie Poisoning

Allow List Security Filter

This filter evaluates requests based on a configured list of valid page and method

requests. Based on the evaluation it

generates an event for any request not conforming to a configured list of valid

requests or stops the request.


Insecure Configuration Management

Logical Attacks

3rd Party Misconfiguration

Path Blocking

Security Filter

This filter evaluates requests to access

files and folders on the application based on a configured list of relative or specific

URLs and generate an event when the


Insecure Configuration Management

Logical Attacks


request does not match the specified URLs.

Brute Force Security Filter

This filter prevents remote users from attempting to guess the username and

password of an authorized user.

Authentication and Session Management

Authentication

Database

Security Filter

This filter evaluates request parameters

for harmful SQL command syntax, command shell attacks, and cross-site

scripting. It generates an event when the

request does not match those specified in a configured parameters list or stops the

request completely.

Cross Site Scripting (XSS)

Injection Flaws

Client-Sid e Attacks

Command Execution

Database Sabotage

Stealth Commanding

Backdoor Vulnerabilities

Security Filter

This filter checks requests for known

vulnerability patterns based on a deterministic set of rules and generates

an event when a vulnerability pattern is detected. The user can also create custom

patterns to generate events.

Cross Site Scripting (XSS)

Injection Flaws

Client-Side Attacks

Command Execution

Logical Attacks

Stealth Commanding

Debug Options

Backdoor

Manipulation of IT Infrastructure

Vulnerabilities

Safe Reply Security Filter

This filter evaluates outbound replies for the presence of sensitive information such

as credit cards and Social Security

numbers.

Improper Error Handling,

Information Disclosure

Files Upload

Security Filter *

This filter evaluates uploads and

generates an event when the request does not conform to the configured

specification for upload locations, file extensions, and file retrievals.

Although not protecting

against specific threats previously mentioned in this

chapter, add an extra dimension to the Enterprise

security HTTP Methods Security Filter *

This filter evaluates HTTP request methods and generates an event when

the request methods do not conform to

the configured list of allowable methods.

Logging Security Filter *

This filter provides logging capabilities for both incoming and outgoing HTTP traffic

and specifies log contents, location, size,

and other properties.

For further information on working with AppWall Security Filters, please refer to the

Security Filters section of the AppWall Management Application online help.


Additional information is available on AppWalls page on Radware Web site at

www.radware.com.

2008 Radware, Ltd. All Rights Reserved. Radware and all other Radware product and service names are registered trademarks

of Radware in the U.S. and other countries. All other trademarks and names are the property of their respective owners. Printed

in the U.S.A.
http://www.radware.com/

web application security with appwall

Documents