Marking Scheme for Semantic-aware Web Application Security 2006. 2. 20. HPC Lab., POSTECH, Korea Tae Hyung Kim
Contents <ul><li>Introduction </li></ul><ul><li>Problem Definition </li></ul><ul><li>Background </li></ul><ul><li>Marking ...
Introduction(1/2) <ul><li>Nearly most of web applications are security critical, but only a small fraction of deployed web...
Introduction(2/2) <ul><li>Especially, many companies and researchers try to develop application firewalls for a web applic...
Problem Definition <ul><li>Lack of understanding the web application semantics degrades web application firewalls: many fa...
OWASP Top Ten Vulnerabilities <ul><ul><li>Unvalidated input </li></ul></ul><ul><ul><li>Cross site scripting (XSS) </li></u...
Web Attack Analysis <ul><li>Conditions for exploiting a web system </li></ul><ul><ul><li>A parameter to insert malicious c...
Marking Scheme <ul><li>Markers within parameters of web sources. </li></ul><ul><li>Markers </li></ul><ul><ul><li>For input...
Architecture <ul><li>web application with marked parameters. </li></ul>Marking Scheme(2/4) User Web Firewall Web Server In...
Defense of Injection Attacks Network Web Server Web Firewall Attacker Normal User Marking Scheme(3/4) (1) Parse requested ...
Defense of Cookie Poisoning  Network Web Server Web Firewall Attacker Normal User (4) Check a number-hashValue pair If the...
Implementation <ul><li>Web Page Conversion Tool </li></ul><ul><li>Web Application Firewall </li></ul><ul><ul><li>Implement...
Adapting Marking Scheme to other Application Discussion Attacker Application Security  System Guiding information: Marker,...
Conclusion <ul><li>We propose a new security scheme for securing web application. </li></ul><ul><li>This scheme makes the ...
Upcoming SlideShare
Loading in …5
×

Marking Scheme for Semantic-aware Web Application Security

584 views
410 views

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
584
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
3
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Marking Scheme for Semantic-aware Web Application Security

  1. 1. Marking Scheme for Semantic-aware Web Application Security 2006. 2. 20. HPC Lab., POSTECH, Korea Tae Hyung Kim
  2. 2. Contents <ul><li>Introduction </li></ul><ul><li>Problem Definition </li></ul><ul><li>Background </li></ul><ul><li>Marking Scheme </li></ul><ul><li>Implementation </li></ul><ul><li>Discussion </li></ul><ul><li>Conclusion </li></ul>
  3. 3. Introduction(1/2) <ul><li>Nearly most of web applications are security critical, but only a small fraction of deployed web applications can afford a detailed security review. </li></ul><ul><li>For securing web applications, there are several approaches under research: </li></ul><ul><ul><li>Input and output filtering </li></ul></ul><ul><ul><ul><li>Web application firewall </li></ul></ul></ul><ul><ul><li>Automated testing </li></ul></ul><ul><ul><ul><li>Vulnerability scanner </li></ul></ul></ul><ul><ul><li>Diversity Defense (against code-injection attacks) </li></ul></ul><ul><ul><ul><li>Instruction-Set Randomization </li></ul></ul></ul><ul><ul><li>Information flow security </li></ul></ul><ul><ul><ul><li>Checking integrity of data from untrusted sources </li></ul></ul></ul>
  4. 4. Introduction(2/2) <ul><li>Especially, many companies and researchers try to develop application firewalls for a web application. </li></ul><ul><li>Those firewalls are based on a positive model for web applications, because a rule-based firewall needs extra attention to update rules periodically. </li></ul><ul><li>However, it is difficult to make a good positive model owing to lack of understanding web application semantics . </li></ul>
  5. 5. Problem Definition <ul><li>Lack of understanding the web application semantics degrades web application firewalls: many false positive, false negative and overhead in a detection process. </li></ul><ul><li>We propose a new scheme to make security systems or modules aware the semantics of the web application . </li></ul>
  6. 6. OWASP Top Ten Vulnerabilities <ul><ul><li>Unvalidated input </li></ul></ul><ul><ul><li>Cross site scripting (XSS) </li></ul></ul><ul><ul><li>Injection flows </li></ul></ul><ul><ul><li>Buffer overflows </li></ul></ul><ul><ul><li>Broken auth. and session </li></ul></ul><ul><ul><li>management account </li></ul></ul><ul><ul><li>Broken access control </li></ul></ul><ul><ul><li>Improper error handling </li></ul></ul><ul><ul><li>Denial of service </li></ul></ul><ul><ul><li>Insecure storage </li></ul></ul><ul><ul><li>Insecure configuration </li></ul></ul>Type 1: Injection Type 2: Poisoning Type 3: etc. Background * OWASP: Open Web Application Security Project
  7. 7. Web Attack Analysis <ul><li>Conditions for exploiting a web system </li></ul><ul><ul><li>A parameter to insert malicious codes </li></ul></ul><ul><ul><li>A vulnerable source that process the parameter </li></ul></ul><ul><ul><li>Improper configurations in environment ( optional ) </li></ul></ul><ul><ul><li>Attacks are initiated by fabricating a parameter and the parameter is placed in the requested URL or HTTP header. </li></ul></ul><ul><li>We can quarantine web attacks by restricting data for the parameter and by checking that. </li></ul>Background
  8. 8. Marking Scheme <ul><li>Markers within parameters of web sources. </li></ul><ul><li>Markers </li></ul><ul><ul><li>For input restriction </li></ul></ul><ul><ul><ul><li>p_ : plain alphabet only </li></ul></ul></ul><ul><ul><ul><li>n_ : number only </li></ul></ul></ul><ul><ul><ul><li>w_ : white space </li></ul></ul></ul><ul><ul><ul><li>s_ : special characters </li></ul></ul></ul><ul><ul><ul><li>lxx_: max length </li></ul></ul></ul><ul><ul><li>For integrity check </li></ul></ul><ul><ul><ul><li>xxx_cookieName </li></ul></ul></ul><ul><ul><ul><ul><li>xxx: random number </li></ul></ul></ul></ul>Marking Scheme(1/4) Login.htm <form action=&quot;ExecLogin.asp&quot; method=&quot;post&quot;> Username: <input type=&quot;text&quot; name=“ p_Username &quot;><br> Passwd: <input type=&quot;password&quot; name=“ pn_Passwd &quot;><br> <input type=&quot;submit&quot;> </form> ExecLogin.asp <% Dim p_strUsername, p_strPassword, objRS, strSQL p_strUsername = Request.Form(“p_Username&quot;) p_strPassword = Request.Form(“pn_Passwd&quot;) strSQL = &quot;SELECT * FROM tblUsers &quot; & _ &quot;WHERE Username='&quot; & p_strUsername & _ &quot;' and Password='&quot; & p_strPassword & &quot;'&quot; Set objRS = Server.CreateObject(&quot;ADODB.Recordset&quot;) objRS.Open strSQL, &quot;DSN=...&quot; If (objRS.EOF) Then Response.Write &quot;Invalid login.&quot; Else Response.Write &quot;You are logged in as &quot; & objRS(&quot;Username&quot;) End If Set objRS = Nothing %>
  9. 9. Architecture <ul><li>web application with marked parameters. </li></ul>Marking Scheme(2/4) User Web Firewall Web Server Input Validation Integrity Check
  10. 10. Defense of Injection Attacks Network Web Server Web Firewall Attacker Normal User Marking Scheme(3/4) (1) Parse requested URL (2) Throw parsed parameters to each checking module. (3) If all modules say O.K., then pass the request. (4) If not, drop the packet URL request: http://aaa.bbb.com/login.htm?p_Username=xxxxdafjlkjaflafjlkdjfaljafkldjajfalfjdajfalkjlfjaslkajfadlkfjaafdkajlajdaljcat%20passwd&pn_Password=yyyyyy
  11. 11. Defense of Cookie Poisoning Network Web Server Web Firewall Attacker Normal User (4) Check a number-hashValue pair If there exists the pair, then pass the request. If not, drop it Marking Scheme(4/4) 111_cookie:aaa 222_cookie:bbb 333_cookie:ccc (1)Cookie names are marked with a random number (3)-1 normal (3)-2 poisoning (2) Store a number-hashValue pair 111,hash(aaa ) Memory
  12. 12. Implementation <ul><li>Web Page Conversion Tool </li></ul><ul><li>Web Application Firewall </li></ul><ul><ul><li>Implemented on Linux </li></ul></ul><ul><ul><li>Based on the “mod security for apache” </li></ul></ul>WPC tool :GUI-based Web page Marked web page User
  13. 13. Adapting Marking Scheme to other Application Discussion Attacker Application Security System Guiding information: Marker, Protocol *Syntax-aware (including protocol) *Semantic-aware *capable to check integrity Normal User (1) (2)
  14. 14. Conclusion <ul><li>We propose a new security scheme for securing web application. </li></ul><ul><li>This scheme makes the application firewall filtering malicious packets easily and efficiently by helping it aware the semantics of web application. </li></ul><ul><li>As a future work, we are required to implement the WPC tool and realize the firewall in detail. And also we need more experiments for improving our scheme. </li></ul>

×