Web Application Security

1

• Web Application Security
• Diane Fraiman
• Vice President

2
The Facts Reviewed.

• Code Red infected 359,000 servers in less than 14
  hours at the peak, it infected more than 2,000
  new hosts/minute estimated cost? 2.6B
  (Computer Economics)
• Within 24 hours of NIMDA hitting, 50 of the
  infected hosts went offline (CNet)
  
• 1 vulnerability exists in every 1500 lines of
  code (IBMs Watson Research Lab) Windows XP has
  45M lines of code W2K has 35M lines of code MS
  code lines double every 866 days.
• 18 billion in sales is expected to be lost due
  to concerns about online security in 2002 (FTC)
  
• Between 65-90 companies experienced some sort of
  security breach in 2000 (CSI/FBI)

3
Cyber crime on the Rise

Number of Hacks
Source CERT, incidents reported
Note 2002 Interpolation
Avg Cost of Cyber crime/Company

Source CSI/FBI, U.S. companies surveyed only
(excluding wiretapping) Note 2002 Interpolation

4
The Problem is Real

• 3 out of 4 business websites are
  vulnerable to attack (Gartner)
  
• Internet fraud expected to exceed
  credit card fraud by 2003 (VNUnet)
  
• 75 of hacks occur at the Application
  level (Gartner)
  
• The results of over 300 AppAudits conducted with
  AppScan
  
• 97 Vulnerable

31 Full Control Access
to Info.

4 Minor Breach
7 Modify Information
7 Hijack Transaction
25 Privacy Breach
23 e-Shoplifting
3 Delete Web Site
5
The Fourth Level of Web Security
6
What is a Web Application?
Invalid Data can exploit weakness in the
application acting as escape holes resulting in
access to unauthorized accounts, O/S network,
sensitive data and may even result in an
application denial of service
Data

Database
Backend Application
Front end Application
User Interface Code
Web Server

Without any protection, holes and backdoors exis
t at every layer waiting to be exploited
7
From Sanctum Audits

• Top 5 banks
• Took root control of system, listed all sys
  admins signed up 2 Senior VPs for credit cards
  at
  
• -129
• Found cross-site scripting, hidden fields
  parameter tampering allowing access to all
  backend systems
  
• Hundreds of servers out for weeks with Nimda
• Broke into Peoplesoft Purchasing and HR
  applications also broke into broker/dealer
  application
  
• Major Regional Banks
• Took control of ISS web server
• Top 5 Mutual Fund
• Code Red gave us a bloody nose Nimda tore off
  body parts
  
• Hundreds of servers out for weeks with Nimda
• Top 2 Credit Card companies
• Forceful browsing accessed Netegrity Siteminder
  directory got userid/password file
  
• Airline
• Download source code cookie poisoning identity
  theft accessed all employee schedules (still did
  not buy solution thought they could solve it
  manually!)
• Healthcare
• Accessed all patient files and altered
  information
  
• Telco
• Entire customer billing record database available

8
Ten Types of Application Hacks

• Hidden Field Manipulation - eShoplifting
• Parameter Tampering - access OS or sensitive
  data fraud
  
• Backdoors and Debug Options access
  code/application as developer or admin
  
• Cookie Poisoning - identity theft, illegal
  transactions
  
• Stealth Commanding - access OS or control
  application at OS level, site defacement
  
• Forceful Browsing - access sensitive data
• Cross-Site Scripting - server-side exploitation,
  access sensitive data eHijacking
  
• Buffer Overflow - access sensitive data, or crash
  site/application
  
• 3rd-Party Misconfiguration - access OS or data
• Published/Known Vulnerabilities- access OS crash
  site access sensitive data

9
Hidden Field Manipulation

• Vulnerability explanation
• The application sends data to the client using a
  hidden field in a form. Modifying the hidden
  field damages the data returning to the web
  application
• Why Hidden Field Manipulation
• Passing hidden fields is a simple and efficient
  way to pass information from one part of the
  application to another (or between two
  applications) without the use of complex backend
  systems.
• As a result of this manipulation
• The application acts according to the changed
  information and not according to the original
  data
  

10
Hidden Manipulation - Example
11
Hidden Manipulation - Example
12
Hidden Manipulation - Example
13
Hidden Manipulation - Example
14
Hidden Manipulation - Example
15
Parameter Tampering

• Vulnerability explanation
• Parameters are used to obtain information from
  the client. This information can be changed in a
  sites URL parameter
  
• Why Parameter Tampering
• Developers focus on the legal values of
  parameters and how they should be utilized.
  Little if any attention is given to the incorrect
  values
• As a result of this manipulation
• The application can perform a function that was
  not intended by its developer like giving access
  to customer information
  

16
Parameter Tampering - Example
17
Parameter Tampering - Example
18
What is a Viable Solution?

• VIABLE Positive Security Model
• Vulnerability Assessment tools bullet-proof
  applications before they go into production
  
• Application Firewalls block, log and alert
  against known/unknown attacks
  
• Behavioral/ Policy-based
• Automatically builds a policy in real time for
  the site
  
• Allows only intended business interactions
• Maintains intended application behavior
• e.g., Code Red and Nimda blocked without updates
  or rules
  
• Not Viable Negative Security Model
• Signature/Rules-based Blocks known attacks
  based on signatures, heuristics or rules.
  
• e.g., - need patch installed or signatures
  written to block Code Red Nimda
  

19
Traditional (Manual) Vulnerability Assessment

• Issues
• process is complex
• security knowledge needed for performing
  successful audit
  
• The process
• Manual coverage of relevant business process
• Full inspection of client side scripts and
  comments
  
• Full inspection of application interfaces
• Manual analysis of potential vulnerabilities
• Manual testing of potential vulnerabilities
• Check for installation of known patches
• The knowledge
• Complete understanding of application logic
• Complete knowledge of application manipulation
  methods
  
• Memory of all known patches issues
• Complete understanding of most secure
  configuration of all tools

20
Traditional Auditing the problem
Never ending, time consuming and expensive!

• Multiple points of people failure
• Development, QA, Operations, Vendor software,
  Outsourcing
  
• New third party bugs discovered every day
• site exposed during patch latency
• Site Complexity
• many lines of code and application interactions
• Compressed application development cycle
• time to market needs will impact development and
  QA
  
• Distributed Knowledge
• No single person has all the knowledge needed for
  a full audit
  

21
Automatic Application VulnerabilityAssessment

• Explore - automatically explore the site,
  discover potential vulnerabilities, dynamically
  create tests to evaluate
  
• Test test and validate potential vulnerabilities
  and assign success and severity ratings
  
• Report generate custom reports with information
  targeted at specific levels of security expertise
  and functions

This process can be repeated as often as
necessary. Once a week, once a month, or only one
time.
22
Automatic Application VulnerabilityAssessment
Benefits

• Explore
• Automation enables coverage of application
• Automatic extraction of information from
  application
  
• Deploys knowledgebase of possible vulnerabilities
  
  
• Automatically cover all potential holes
• Test
• Automatically identify successful attack
• Coverage of all potential vulnerabilities
• Refinement stage (multi-attack correlation)
• Reporting
• Automatically generate findings report
• Supply solution recommendations

Automation less time more coverage.
Expert system reduce the needed knowledge

23
Vulnerability assessment tools
Commercial
Public Domain

• Application Vulnerability Assessment
• Sanctum / AppScan
• Network Known Vulnerability Scanners
• ISS / Internet Scanner
• NAI / CyberCop
• eEye / Retina

• Known Vulnerability Scanners
• Whisker
• Nessus
• Proxy Scanners
• Achilles
• HTTPush
• RFProxy
• WebSleuth

24
Full Online Application ProtectionICSA
Requirements Application Firewall

• Functions at the application level - ISO model
  layer 7
  
• Understands inbound and outbound requests
• Block invalid requests without terminating entire
  user session
  
• Designed to recognize protect against
  application threats
  
• Signature Non-signature attacks
• Dynamic and Accurate
• Understands application logic
• Compatible with Web application technologies
• Designed with real world environment in mind
  code/content changes every day
  
• Works in Real Time
• Addresses threats before they reach the server
• Provide Application Level Forensics
• Logging Alerting

25
How an Application Firewall Works
The Security Policy is built dynamically in real
time as pages
are requested by the user
Dynamic Policy Recognition Engine
Browser
Web Server
Sanctum, Inc. Patented Technology
26
How an Application Firewall WorksHidden
Manipulation
27
How an Application Firewall WorksHidden
Manipulation
28
How an Application Firewall WorksHidden
Manipulation
29
How an Application Firewall WorksHidden
Manipulation
30
How an Application Firewall WorksBlocking the
Attack
31
Application Level Forensics
32
Web Application Protection Solutions

• Content Integrity
• TripWire/TripWire
• Gilian/G-Server
• Network Separation
• Whale/eGap
• SpearHead/AirGap
• Access Control
• Netegrity/SiteMinder
• RSA-Securant/ClearTrust

• Protected OS
• Argus/PitBull
• HP/Virtual Vault
• Known Attack Detection
• Entercept/Entercept WS
• Okena
• eEye/SecureIIS
• Web Application Firewall
• Sanctum/AppShield only app firewall certified by
  ISCAlabs
  

33
Protecting at the OS levelHost Intrusion
Prevention

• Host Intrusion Prevention Solutions
• Reside at the OS level only (i.e.red wrapper)
• Prevent any OS vulnerabilities from being
  exploited
  
• Resides on both network servers (ie mail and
  ftp) and/or web servers

34
But, the Applications Remain Vulnerable
Even with OS holes plugged, the applications
remain unprotected
35
Sanctum

• Sanctum is the recognized industry leader for Web
  application security solutions
  
• 200 customers 54 of the F100
• 8 of the top 10 financial institutions in the
  U.S. use Sanctum solutions
  
• Global Leadership Japan and Europe
• Intellectual property leadership 3 patented, 4
  patent-pending technologies
  
• Financial Srvs, retail, healthcare, media,
  telecom utilities industries, government
  
• Strategic Partnerships
• PWC IBM Global Services Netegrity ATT Perot
  Systems Accenture, EY
  
• Sanctum is the only company that provides
  automatic enforcement of intended business
  processes, ensuring the protection of core
  information and data
• AppShield Web application firewall full online
  prevention
  
• AppScan automated vulnerability assessment
  solution
  

36
Summary

• Web Perversion is a huge problem
• 18 Billion in lost sales forecasted due to
  security concerns in 2002 (FTC)
  
• 75 of attacks are at the Application level
  (Gartner Group)
  
• Hackers victimized 90 of large corporations and
  government agencies within the last 12 months
  (CSI and FBI)
  
• Security is an urgent management issue and a
  mandatory Core Value
  
• Your Web applications are at the heart of your
  business
  
• Security is a Business Driver
• Protecting Your Web Applications is Enterprise
  Equivalent of National Security
  
• Performing application level audits and/or
  application level prevention and detection is
  crucial
  
• Automation must be fought with automation
• SANCTUM is the Recognized Leader for
• Web Application Security Solutions
• www.SanctumInc.com

37
SAVE YOUR SITE
GET