GUIDEWEBAPPLICATIONSECURITYHow to Minimize the Risk of Attacks T able of Contents I. Summary 2 II. Overview of Web Application Scanning 2 III. Types of Web Application Vulnerabilities 3 IV. Detecting Web Application Vulnerabilities 4 V. Introducing QualysGuard® WAS 2.0 5 I. Protect Your Web Applications V 7 VII. About Qualys 7
Guide: Web Application Security; How to Minimize the Risk of Attacks page 2SummaryVulnerabilities in web applications are now the largest source of enterprise security attacks. Web application vulnerabilitiesaccounted for over 55% of all vulnerabilities disclosed in 2010, according to an IBM X-Force study. That may be the tipof the iceberg as the study includes only commercial web applications.1 Stories about compromised sensitive datafrequently mention culprits such as “cross-site scripting,” “SQL injection,” and “buffer overflow.” Vulnerabilities like theseoften fall outside the traditional expertise of network security managers. The relative obscurity of web application vulner-abilities thus makes them useful for attacks. As many organizations have discovered, these attacks will evade traditionalenterprise network defenses unless you take new precautions.To help you understand how to minimize these risks, Qualys provides this guide as a primer to web application security.The guide surveys typical web application vulnerabilities, compares options for detection, and introduces theQualysGuard Web Application Scanning solution – an on demand service from Qualys that automates detection of themost prevalent vulnerabilities in custom web applications.Overview of Web Application SecurityAttacks on vulnerabilities in web applications began appearing almost from the beginning of the World Wide Web, in themid-1990s. Attacks are usually based on fault injection, which exploits vulnerabilities in a web application’s syntax andsemantics. Using a standard browser and basic knowledge of HTTP and HTML, an attacker attempts a particular exploitby automatically varying a Uniform Resource Indicator (URI) link, which in turn could trigger an exploit such as SQLinjection or cross-site scripting. http://example/foo.cgi?a=1 http://example/foo.cgi?a=1’ Example of SQL Injection http://example/foo.cgi?a=<script>… Example of Cross-site Scripting (XSS) Some attacks attempt to alter logical workflow. Attackers also execute these by automatically varying a URI. http://example/foo.cgi?admin=false http://example/foo.cgi?admin=true Example of increasing privilegesA significant number of attacks exploit vulnerabilities in syntax and semantics. You can discover many of thesevulnerabilities with an automated scanning tool. Logical vulnerabilities are very difficult to test with a scanning tool; theserequire manual inspection of web application source code analysis and security testing. Web application security vulner-abilities can stem from misconfigurations, bad architecture, or poor programming practices within commercial or customapplication code. Vulnerabilities may be in code libraries and design patterns of popular programming languages such asJava, .NET, PHP, Python, Perl, and Ruby. These vulnerabilities can be complex and may occur under many differentcircumstances. Using a web application firewall might control effects of some exploits but will not resolve the underlyingvulnerabilities.1 IBM ISS X-Force 2010 Mid-yearTrend & Risk Report
Guide: Web Application Security; How to Minimize the Risk of Attacks page 3Types of Web Application Vulnerabilities The number of new vulnerability disclosures in the first half ofWeb applications may have any of two dozen types of vulnerabilities. Security the year is at the highest levelconsultants who do penetration testing may focus on finding top vulnerabilities, ever recorded. This is in starksuch as those in a list published by the Open Web Application Security Project contrast to the 2009 mid-year(www.owasp.org), the OWASP Top 10. Other efforts to systematically organize report when new vulnerabilityweb application vulnerabilities include more than 30 granular threat classifications disclosures were at the lowestpublished by the Web Application Security Consortium (www.webappsec.org). level in the previous four years.The following descriptions of web vulnerabilities are modeled on a WASC schema. Web application vulnerabilities— particularly cross-site scriptingAuthentication – stealing user account identities and SQL injection—continue to n Brute Force attack automates a process of trial and error to guess a dominate the threat landscape. person’s username, password, credit-card number or cryptographic key. IBM X-Force® n Insufficient Authentication permits an attacker to access sensitive 2010 Mid-year Trend & Risk Report content or functionality without proper authentication. n Weak Password Recovery Validation permits an attacker to illegally obtain, change or recover another user’s password.Authorization – illegal access to applications n Credential / Session Prediction is a method of hijacking or impersonating a user. n Insufficient Authorization permits access to sensitive content or functionality that should require more access control restrictions. n Insufficient Session Expiration permits an attacker to reuse old session credentials or session IDs for authorization. n Session Fixation attacks force a user’s session ID to an explicit value.Client-side Attacks – illegal execution of foreign code n Content Spoofing tricks a user into believing that certain content appearing on a web site is legitimate and not from an external source. n Cross-site Scripting (XSS) forces a web site to echo attacker-supplied executable code, which loads into a user’s browser.Command Execution – hijacks control of web application n Buffer Overflow attacks alter the flow of an application by overwriting parts of memory. n Format String Attack alters the flow of an application by using string formatting library features to access other memory space. n LDAP Injection attacks exploit web sites by constructing LDAP statements from user-supplied input. n OS Commanding executes operating system commands on a web site by manipulating application input.
Guide: Web Application Security; How to Minimize the Risk of Attacks page 4 n SQL Injection constructs illegal SQL statements on a web site application Enterprise-class web applica- from user-supplied input. tion scanning solutions are broader, and should include a n SSI Injection (also called Server-side Include) sends code into a web wide range of tests for major application, which is later executed locally by the web server. web application vulnerability n XPath Injection constructs XPath queries from user-supplied input. classes, such as SQL injection, cross-site scripting, and directoryInformation Disclosure – shows sensitive data to attackers traversals. The OWASP Top 10 n Directory Indexing is an automatic directory listing / indexing web server is a good starting list of major function that shows all files in a requested directory if the normal base vulnerabil¬ities, but an enter- file is not present. prise class solution shouldn’t n Information Leakage occurs when a web site reveals sensitive data such limit itself to just one list or as developer comments or error messages, which may aid an attacker in category of vulnerabilities. An exploiting the system. enteprise solution should also n Path Traversal forces access to files, directories and commands that be capable of scanning multiple potentially reside outside the web document root directory. applications, tracking results over time, providing robust n Predictable Resource Location uncovers hidden web site content and reporting (especially compli- functionality. ance reports), and providingLogical Attacks – interfere with application usage reports customized for local requirements. n Abuse of Functionality uses a web site’s own features and functionality to consume, defraud, or circumvent access control mechanisms. Securosis.com Building a Web Application Security n Denial of Service (DoS) attacks prevent a web site from serving normal Program Whitepaper user activity. n Insufficient Anti-automation is when a web site permits an attacker to automate a process that should only be performed manually. n Insufficient Process Validation permits an attacker to bypass or circumvent the intended flow of an application.Detecting Web Application VulnerabilitiesThere is no “silver bullet” to detecting web application vulnerabilities. Thestrategy for their detection is identical to the multi-layer approach used forsecurity on a network. Detection and remediation of some vulnerabilitiesrequires source code analysis, particularly for complex enterprise-scale webapplications. Detection of other vulnerabilities may also require on-sitepenetration testing. As mentioned earlier, the most prevalent web applicationvulnerabilities can also be detected with an automated scanner. An automatedweb application vulnerability scanner both supplements and complementsmanual forms of testing. It provides four key benefits: n Lower total cost of operations by automating repeatable testing processes
Guide: Web Application Security; How to Minimize the Risk of Attacks page 5 n Close security loopholes by discovering and identifying rogue web applications n Understand the security risks for your most public and accessible IT assets n Drive secured coding practices for custom application developmentA scanner does not have access to a web application’s source code, so the only way it can detect vulnerabilities is byperforming likely attacks on the target application. Time required for scanning varies, but doing a broad simulated attackon an application takes significantly longer than doing a network vulnerability scan against a single IP. A major requirementfor a web application vulnerability scanner is comprehensive coverage of the target application’s functionality. Incompletecoverage will cause the scanner to overlook existing vulnerabilities.Introducing QualysGuard® WAS 2.0The QualysGuard Web Application Scanning (WAS) solution is an on demand service integrated into the QualysGuardsecurity and compliance Security-as-a-Service (SaaS) suite. Use of the QualysGuard WAS presumes no specializedknowledge of web security. The service allows a network security or IT administrator to execute comprehensive, accuratevulnerability scans on custom web applications such as shopping carts, forms, login pages, and other types of dynamiccontent. The broad scope of coverage focuses tests on Web application security. Figure 1: The QualysGuard WAS 2.0 Dashboard Figure 2: Scan Management view within QualysGuard WAS 2.0
Guide: Web Application Security; How to Minimize the Risk of Attacks page 6Key BenefitsQualysGuard WAS helps organizations catalog web applications within their enterprise and get an inventory of theirapplications – no matter where they reside. Then, QualysGuard WAS automates repeatable techniques used to identifythe most prevalent web vulnerabilities, such as SQL injection and cross-site scripting in web applications. It combinespattern recognition and observed behaviors to accurately identify and verify vulnerabilities. The QualysGuard WASservice identifies and profiles login forms, session state, error pages, and other customized features of the targetapplication – even if it extends across multiple web sites. This site profile data helps QualysGuard WAS to adapt tochanges as the web application matures. Adaptability enables the scanner to be used against unknown or legacy webapplications that may carry little information about error pages or other behavior. As a result, QualysGuard WASdelivers accurate detection and reduces false positives. The automated nature of QualysGuard WAS enables regulartesting that produces consistent results and easily scales for large numbers of web sites.Feature HighlightsQualysGuard WAS offers comprehensive capabilities toassess, track, and report web application vulnerabilities.Key features include: n Crawling & Link Discovery – Embedded browser crawls complex sites. Reaches wide coverage of the site’s functionality by sampling redundant and related links. n Authentication – Automatically finds and authenticates to login forms. Maintains an authenticated session. Support for server-based authentication (Basic, Digest, NTLM) including SSL client certificates. Figure 3: Scan Summary results within QualysGuard WAS 2.0 n Exclusion Lists – Use blacklists and whitelists to guarantee coverage and prevent the crawler from hitting certain links or areas of the site. n Performance – User-determined bandwidth level for parallel scanning to control impact on application performance. Smart vulnerability checks skip unnecessary tests. n Sensitive Content – Search for privacy- or security-related content within the site’s HTML. n Accurate Vulnerability Tests – Minimizes false positives by profiling the target’s behavior. Uses multiple steps to verify discoveries. n Site Discovery & Management – Discover web servers across a network. Manage scores of web applications from Figure 4: QualysGuard WAS 2.0 – Detailed Scan Results a unified interface.