WebAppSec Assessment and Defense

Ajit Dhumale adhumale@qualys.com

OWASP Pune Chapter Meetup 21st April 2016

WebApp eco-system

OS/VM/Docker

Web Server

App Container

WepApp

Network Stack

DB

NoSQL

…

Browser User Internet

FW NAT LB

Data Center

App

Assessment and Defense

• Assessment

– Test if web app has vulnerabilities

• Defense

– Protect against known and unknown vulnerabilities

Assessment

BlackBox Vs

WhiteBox

BlackBox vs WhiteBox

Images credit: freedigitalphotos.net (Photo by khunaspix, patrisyu)

DAST (BlackBox)

• Easy logistics

• (Fairly) low FP rate*

DAST: Dynamic Application Security Testing

WebApp HTTP(s)://

DAST: How it works?

Crawl: Get links, forms and AJAX requests to test

Test (mostly fuzzing): Send malformed/evil variants of

the crawled requests and see how the web app responds

DAST: Concerns

– Coverage • Is the entire web app crawled?

• Auto form filling

• Authentication

– Redundant links • http://www.cartrade.com/buy-used-cars/pune/tata/nano/2162257.html

• http://www.cartrade.com/buy-used-cars/pune/hyundai/i20/2162275.html

• http://www.cartrade.com/buy-used-cars/pune/chevrolet/beat/2162336.html

• http://www.cartrade.com/buy-used-cars/pune/maruti-suzuki/sx4/2162360.html

• Thousands of similar links

– Less direct help to developers

SAST (WhiteBox)

Source Code

SAST: Static Application Security Testing Images: in.mathworks.com

SAST

• High FP

• Difficult Logistics – Access to source code

– Confidentiality/trust issues

• Provides direct help to developers

• Programming language dependent – News languages, templating, runtime binding problems

• (opaque) 3rd party libraries, external systems

IAST • Co-related DAST and SAST results

OR

• Insert monitoring agent in application runtime.

• Observer app behavior while driving the app using DAST

• Tune the DAST tests (automatically) based on monitoring

Provides

• Better coverage, accuracy and efficiency

• Better direct help to developers

IAST: Interactive/integrated Application Security Testing

I DAST SAST T

Assessment

Manual Vs

Automated

Automated vs Manual

Lower accuracy Higher FP

High accuracy* Low FP*

Fast Hours to days per web app

Slower Weeks to months per web app

Bad at business logic flaw detection Good at business logic flaw detection*

Lower cost Very (very) high cost

* Subject to expertise of the manual pen tester(s)

Automated and Manual

Automated with manual

assistance

Manual verification

Best of both

worlds

We found vulnerabilities

now what?

Fix the vulnerabilities

…but what till the fix is available?

Patch in on the way …

WebAppFirewall

• Protects production web apps from attacks

WAF: How it works

• Block malicious (looking) requests – Rules – Heuristics – Blacklist/whitelist

• Add protection in responses – Security headers – Frame bursting – Sign/encrypt cookie/hidden fields

W

A

F

Deploying WAF (phases)

• Training – Observe traffic – Learn normal traffic/patterns – Formulate rules /create baseline

• Notification – Apply rules, notify violation – (manually) tune the rules

• Block – Apply rules, block violations – Filter suspicious input – Fine tune rules

WAF Concerns

• Installation needs network changes – SSL termination

• Longer deployment cycles – App specific training/configuration – App changes might warrant re-training/configuration

• Potential performance impact • Point of failure • Incorrect rule blocks legit traffic business

impact

WAF bypass

• Naïve pattern based filtering can be bypassed

RASP

Runtime Application Self-Protection

• Installs runtime agent within the application

binary (runtime dependency)

• Analyzes input, event flow and application behavior at runtime

• Alerts or stops malicious execution

WAF vs RASP

External

Internal

One for many apps

One (agent) per app

Technology* Independent Technology* Dependent

*Programming language and runtime Images credit: freedigitalphotos.net (Photo by taoty, Sura Nualpradid)

Trends/Future

• Browser side security – CSP – HSTS – Public Key-pinning (HPKP) – X-Frame-Options – X-XSS-Protection – X-Content-Type-Options – …

• DAST

– JavaScript Analysis (DOM XSS and more) – Blind vulnerability detection – REST APIs, mobile apps – HTML5, HTTP2

• Secure coding/development

– Static code analysis with-in IDE – Secure libraries and frameworks – Lifecycle: Design + Dev + Test + Ops

• SAST + DAST + WAF + RASP

? Questions

Credits

• Images:

– Icons: https://icons8.com

– Images: http://www.freedigitalphotos.net/