webappsec: assessment and defense
TRANSCRIPT
WebAppSec Assessment and Defense
Ajit Dhumale [email protected]
OWASP Pune Chapter Meetup 21st April 2016
WebApp eco-system
OS/VM/Docker
Web Server
App Container
WepApp
Network Stack
DB
NoSQL
…
Browser User Internet
FW NAT LB
Data Center
App
Assessment and Defense
• Assessment
– Test if web app has vulnerabilities
• Defense
– Protect against known and unknown vulnerabilities
Assessment
BlackBox Vs
WhiteBox
BlackBox vs WhiteBox
Images credit: freedigitalphotos.net (Photo by khunaspix, patrisyu)
DAST (BlackBox)
• Easy logistics
• (Fairly) low FP rate*
DAST: Dynamic Application Security Testing
WebApp HTTP(s)://
DAST: How it works?
Crawl: Get links, forms and AJAX requests to test
Test (mostly fuzzing): Send malformed/evil variants of
the crawled requests and see how the web app responds
DAST: Concerns
– Coverage • Is the entire web app crawled?
• Auto form filling
• Authentication
– Redundant links • http://www.cartrade.com/buy-used-cars/pune/tata/nano/2162257.html
• http://www.cartrade.com/buy-used-cars/pune/hyundai/i20/2162275.html
• http://www.cartrade.com/buy-used-cars/pune/chevrolet/beat/2162336.html
• http://www.cartrade.com/buy-used-cars/pune/maruti-suzuki/sx4/2162360.html
• Thousands of similar links
– Less direct help to developers
SAST (WhiteBox)
Source Code
SAST: Static Application Security Testing Images: in.mathworks.com
SAST
• High FP
• Difficult Logistics – Access to source code
– Confidentiality/trust issues
• Provides direct help to developers
• Programming language dependent – News languages, templating, runtime binding problems
• (opaque) 3rd party libraries, external systems
IAST • Co-related DAST and SAST results
OR
• Insert monitoring agent in application runtime.
• Observer app behavior while driving the app using DAST
• Tune the DAST tests (automatically) based on monitoring
Provides
• Better coverage, accuracy and efficiency
• Better direct help to developers
IAST: Interactive/integrated Application Security Testing
I DAST SAST T
Assessment
Manual Vs
Automated
Automated vs Manual
Lower accuracy Higher FP
High accuracy* Low FP*
Fast Hours to days per web app
Slower Weeks to months per web app
Bad at business logic flaw detection Good at business logic flaw detection*
Lower cost Very (very) high cost
* Subject to expertise of the manual pen tester(s)
Automated and Manual
Automated with manual
assistance
Manual verification
Best of both
worlds
We found vulnerabilities
now what?
Fix the vulnerabilities
…but what till the fix is available?
Patch in on the way …
WebAppFirewall
• Protects production web apps from attacks
WAF: How it works
• Block malicious (looking) requests – Rules – Heuristics – Blacklist/whitelist
• Add protection in responses – Security headers – Frame bursting – Sign/encrypt cookie/hidden fields
W
A
F
Deploying WAF (phases)
• Training – Observe traffic – Learn normal traffic/patterns – Formulate rules /create baseline
• Notification – Apply rules, notify violation – (manually) tune the rules
• Block – Apply rules, block violations – Filter suspicious input – Fine tune rules
WAF Concerns
• Installation needs network changes – SSL termination
• Longer deployment cycles – App specific training/configuration – App changes might warrant re-training/configuration
• Potential performance impact • Point of failure • Incorrect rule blocks legit traffic business
impact
WAF bypass
• Naïve pattern based filtering can be bypassed
RASP
Runtime Application Self-Protection
• Installs runtime agent within the application
binary (runtime dependency)
• Analyzes input, event flow and application behavior at runtime
• Alerts or stops malicious execution
WAF vs RASP
External
Internal
One for many apps
One (agent) per app
Technology* Independent Technology* Dependent
*Programming language and runtime Images credit: freedigitalphotos.net (Photo by taoty, Sura Nualpradid)
Trends/Future
• Browser side security – CSP – HSTS – Public Key-pinning (HPKP) – X-Frame-Options – X-XSS-Protection – X-Content-Type-Options – …
• DAST
– JavaScript Analysis (DOM XSS and more) – Blind vulnerability detection – REST APIs, mobile apps – HTML5, HTTP2
• Secure coding/development
– Static code analysis with-in IDE – Secure libraries and frameworks – Lifecycle: Design + Dev + Test + Ops
• SAST + DAST + WAF + RASP
? Questions
Credits
• Images:
– Icons: https://icons8.com
– Images: http://www.freedigitalphotos.net/