Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Web Application Security

335 views

Published on

Prezentace z konference Virtualization Forum 2019
Praha, 3.10.2019
Sál F5 Networks

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Web Application Security

  1. 1. Web Application Security Radovan Gibala Senior Systems Engineer F5 Networks gigi@f5.com
  2. 2. © F5 Networks, Inc 2 Common attacks on web applications BIG-IP ASM delivers comprehensive protection against critical web attacks CSRF Cookie manipulation OWASP top 10 Brute force attacks Forceful browsing Buffer overflows Web scraping Parameter tampering SQL injections Information leakage Field manipulation Session high jacking Cross-site scripting Zero-day attacks Command injection ClickJacking Bots Business logic flaws
  3. 3. © F5 Networks, Inc 4 Traditional Security Devices vs. WAF Known Web Worms Unknown Web Worms Known Web Vulnerabilities Unknown Web Vulnerabilities Illegal Access to Web-server files Forceful Browsing File/Directory Enumerations Buffer Overflow Cross-Site Scripting SQL/OS Injection Cookie Poisoning Hidden-Field Manipulation Parameter Tampering Layer 7 DoS Attacks Brute Force Login Attacks App. Security and Acceleration Credential Stuffing Password Field obfuscation BotNet protection ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ WAF X X X X X X X Network/Next Gen Firewall Limited Limited Limited Limited Limited IPS Limited Partial Limited Limited Limited Limited Limited X X X ✓ X X X X X Limited Limited Limited Limited X X X X XLimited
  4. 4. Web Application Firewall
  5. 5. © F5 Networks, Inc 6 Negative vs. Positive Security Model • Negative Security Model • Lock Known Attacks • Everything else is Allowed • Patches implementation is quick and easy (Protection against Day Zero Attacks) • Positive Security Model • (Automatic) Analysis of Web Application • Allow wanted Transactions • Everything else is Denied • Implicit Security against New, yet Unknown Attacks (Day Zero Attacks)
  6. 6. FULL-PROXY ARCHITECTURE
  7. 7. © F5 Networks, Inc 8 Full-proxy architecture iRule iRule iRule TCP SSL HTTP TCP SSL HTTP iRule iRule iRule ICMP flood SYN flood SSL renegotiation Data leakageSlowloris attackXSS Network Firewall WAF WAF
  8. 8. © F5 Networks, Inc 9 Application Access Network Access Network Firewall Network DDoS Protection SSL DDoS Protection DNS DDoS Protection Application DDoS Protection Web Application Firewall Fraud Protection F5 provides comprehensive application security Virtual Patching
  9. 9. Volumetric take-downs Consume bandwidth of target Network layer attack Consume connection state tables Application layer Consume application resources 2005 8 Gbps 2013 300 Gbps 2016 1.2 Tbps Source: How DDoS attacks evolved in the past 20 years, BetaNews
  10. 10. © F5 Networks, Inc 12 Different attack/issue types Application SSL DNS Network
  11. 11. © F5 Networks, Inc 13 DoS is Not a Rocket Science!
  12. 12. DDoS attacks are easy to launch hping3 nmap Low Orbit ION High Orbit IONkillapache.pl slowloris metasploitslowhttptest RussKill Pandora Dirt Jumper PhantomJS …, Jmeter, Scapy, Httpflooder, PhantomJS, SSLyze, THC-SSL-DOS, and many, many more…
  13. 13. Source: Securelist, Kaspersky Lab, March 2017 Low sophistication, high accessibility • Accessible Booters/stressers easy to find • Lucrative Profit margins of up to 95% • Effective Many DDoS victims pay up
  14. 14. 1.2 Tbps1 Tbps620 Gbps Mirai DDoS attacks Source: The Hunt for IoT: The Rise of Thingbots, F5 Labs, August 2017
  15. 15. Critical info on threat source and attack type trends Application Threat Intelligence
  16. 16. SOLUTION Customer Cloud Network and App Protection DDoS attacker DMZ Cloud-Based DDoS Mitigation Platform DDoS Hybrid Defender PROBLEM
  17. 17. © F5 Networks, Inc 19 Rate Limit to Protect the Server Detect and Block Bots and Bad Actors Create and Enforce Dynamic Signatures Analyze Application Stress and Continually Tune Mitigations. Start of Attack Identify Attackers Advanced Attacks Persistent Attacks Multiple Layers of Protection Even basic attacks can take an unprotected server down quickly. Persistent attackers will adjust tools, targets, sources and attack volume to defeat static DOS defenses. The f5 approach protects the server from the first moment of the attack and then analyzes the attack tools, sources and patterns to refine mitigations. These sophisticated protections maximize application availability while minimizing false positives.
  18. 18. • Detect L7 DDoS Attacks by monitoring TPS, Latency (Automatic), Heavy URLs, URLs, IPs, Heavy URLs and Behavioral DDoS detection • Mitigate L7 DDoS by various methods: Block, Rate limit, Client challenges (bot detection) and Behavioral DDoS mitigation • Leverage Bot Signatures & Geolocation • Proactive Bot Defense for desktop and mobile applications
  19. 19. © F5 Networks, Inc 21 Browser Types TTL 1 2 2 5 5 SRC-IP lower 1 2 2 5 5 DstPort 1 5 6 4 k Server Health 6 4 8 0 Other L3/L4 Predicates Val min Val max URI H 1 Referrer H 1 H N # Headers 1 N Other L7 Predicates Val min Val max H N Max (Chrome) Load (EPS) Chrome Firefox IE / Cortana Safari Opera Threshold Min (Chrome) Max (Chrome) Load (EPS) Threshold Min (Chrome) VR-N VR-A VR-B VR-C VR-D Max (Chrome) Load (EPS) Threshold Min (Chrome) VR-N VR-A VR-B VR-C VR-D ….
  20. 20. © F5 Networks, Inc 22 Browser Types tN>t Load (PPS) Chrome Firefox IE / Cortana Safari Opera Max (Chrome) Threshold Fixed during attack Min (Chrome) Current Value URI H 1 Referrer H 1 H N # Headers 1 N Other L7 Predicates Val min Val max H N Max (Chrome) Load (EPS) Threshold Min (Chrome) VR-N VR-A VR-B VR-C VR-D Max (Chrome) Load (EPS) Threshold Min (Chrome) VR-N VR-A VR-B VR-C VR-D Max (Chrome) Load (EPS) Threshold Min (Chrome) VR-N VR-A VR-B VR-C VR-D Server Health
  21. 21. Use Case - DDoS Attacks DDOS Managed Service Hacker Bots Silverline Cloud Services Users Layer 3 DDOS Protection On-Premises Layer 7 DDOS Protection Core DDoS Hybrid Defender Advanced WAF Users Option: consolidate into a single layer 3-7 solution Silverline Always On under attack Communication (signaling) Problem: • DDOS attacks are growing, but your resources are not • DDoS mitigation time is slow due to manual initiation and difficult policy tuning Benefits: • On-premise hardware acts immediately and automatically to mitigate attacks. • Silverline cloud services minimizes the risk of larger attacks crippling your site or applications Solution: • Always-on protection with on-premises hardware • Mitigate with layered defense strategy and cloud services • F5 SOC monitoring with portal • Protect against all attacks with granular control • Eliminate time-consuming manual tuning with machine learning
  22. 22. of Internet traffic is automated of 2016 web application breaches involved the use of bots 98.6M bots observed Source: Internet Security Threat Report, Symantec, April 2017
  23. 23. Client-Side Attacks Malware Ransomware Man-in-the-browser Session hijacking Cross-site request forgery Cross-site scripting DDoS Attacks SYN, UDP, and HTTP floods SSL renegotiation DNS amplification Heavy URL App Infrastructure Attacks Man-in-the-middle Key disclosure Eavesdropping DNS cache poisoning DNS spoofing DNS hijacking Protocol abuse Dictionary attacks Web Application Attacks API attacks Cross-site scripting Injection Cross-site request forgery Malware Abuse of functionality Man-in-the-middle Credential theft Credential stuffing Phishing Certificate spoofing Protocol abuse Acommon source of many threat vectors Malware Ransomware Man-in-the-browser Cross-site scripting Dictionary attacks SYN, UDP, and HTTP floods SSL renegotiation DNS amplication Heavy URL API attacks Cross-site scripting Injection Malware Abuse of functionality Credential stuffing Phishing
  24. 24. Application Threat Intelligence Reaper panic The latest thingbot making press waves was predicted in "The Hunt for IoT" volume 3
  25. 25. Thingbots: Multi-purpose Attack Bots 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 7 Bots SORA OWARI UPnPProxy OMNI RoamingMantis Wicked VPNFilter 1 Bot Brickerbot 2 Bots WireX Reaper 3 Bots Mirai BigBrother Rediation 1 Bot Remaiten 1 Bot Moon 1 Bot Aidra 1 Bot Hydra 3 Bots Satori Fam Amnesia Persirai 6 Bots Masuta PureMasuta Hide ‘N Seek JenX OMG DoubleDoor 1 Bot Crash override 1 Bot Gafgyt Family 2 Bots Darlloz Marcher 1 Bot Psyb0t 4 Bots Hajime Trickbot IRC Telnet Annie Shifting from primarily DDoS to multi-purpose DNS Hijack DDoS PDoS Proxy Servers Unknown… Rent-a-bot Install-a-bot Multi-purpose Bot Fraud trojan ICS protocol monitoring Tor Node Sniffer Credential Collector Crypto-miner Thingbot Attack Type
  26. 26. Shortcomings of Today’s Approach Code-level security Difficultly differentiating between humans and modern bots Lags behind rapid pace of bot evolution IP blocking Sheer volume of IPs difficult to track and block Ineffective at blocking TOR-based bots Traditional WAF Designed to protect against OWASP Top 10 Rely solely on captcha for bot protection
  27. 27. What is Required for Accurate Bot Detection? Bot Signatures + DNS Checks JS Challenge + Browser Fingerprinting Browser Capabilities Human Detection Optional CAPTCHA Anomalies Server should not receive traffic
  28. 28. Web Scraping Protection Pro-Active Bot Prevention L7 DoS WAF SOLUTION PROBLEM Behavioural analysis to identify malicious bots
  29. 29. © F5 Networks, Inc 32 Bots that simulate browsers Web Server I’m a Bot that simulate browser ASM: ok, what are your capability ? If you will not answer right you will have to answer a CAPTCHA No you are not, bye bye -> block this guy. DNS Server Bummer Capability ? CATPCHA ?
  30. 30. Bot that simulates browser Headless Chrome Sentry MBA
  31. 31. © F5 Networks, Inc 34 How bots that simulate browsers are evaluated and scored Evaluating request High Score Pass Low Score Send CAPTCHA and If valid CAPTCHA – Pass Otherwise - Block 0 – 59 – browser 60 – 99 – Unknown 100 – Bot
  32. 32. Detect GET flood attacks against Heavy URIs Identify non-human surfing patterns Fingerprint to identify beyond IP address Operating system Geolocation Browser • Screen size and colour depth • Plugin details • Time zone • HTTP_ACCEPT headers • Language • System fonts • Touch support • Extensions Behavioural Analysis and Fingerprinting
  33. 33. How unique are you? Browsers attributes
  34. 34. Web HybridNative
  35. 35. • • • •
  36. 36. • No prior breach • Dozens of account takeovers left users picking up food bills they never ordered • Unsuspecting victims received receipts via email, after it was too late Fraudsters eat for free as Deliveroo accounts hit by mystery breach
  37. 37. 70 MILLION 427 MILLION 150 MILLION 3 BILLION In the last 8 years more than 7.1 billion identities have been exposed in data breaches1 1) Symantec Internet Security Threat Report, April 2017 2) Password Statistics: The Bad, the Worse and the Ugly, Entrepreneur Media 117 MILLION “Nearly 3 out of 4 consumers use duplicate passwords, many of which have not been changed in five years or more”2 3 out of 4
  38. 38. USERNAME Credit Card Data USERNAME Intellectual Property USERNAME Healthcare Data USERNAME Passport Data USERNAME Financial Data USERNAME USERNAME USERNAME USERNAME USERNAME USERNAME USERNAME USERNAME USERNAME USERNAME USERNAME USERNAME USERNAME USERNAME
  39. 39. Info on emerging threats What is it? Who does it affect? Protection strategy recommendations Application Threat Intelligence
  40. 40. Breached Credential Database Comparison WAF SOLUTION PROBLEM Distributed brute force protection
  41. 41. In the first quarter of 2017, a new specimen of malware emerged every 4.2 seconds 1 in every 131 emails included malware in 2016 of all breaches in 2016 involved some form of malware Sources: 1) Malware trends 2017, G DATA Software 2) Symantec Internet Security Threat Report, April 2017 3) WannaCry Update, Rapid7 Blog, May 2017 4.2 seconds 1 in every 131 Over half (51%)
  42. 42. Use our research to learn about new types of malware Application Threat Intelligence
  43. 43. Injects into running processes Hooks functions inside Windows DLLs MitM – sends credentials to command and control center
  44. 44. WAF Man-in-the-Browser malware Online users SOLUTION PROBLEM
  45. 45. • • • • • • •
  46. 46. F5 ADVANCED WAF
  47. 47. F5 Advanced WAF Protect against bots, credential attacks, and app-layer DoS Key Benefits: • Protects Web and mobile apps from exploits, bots, theft, app-layer DoS • Prevent malware from stealing data and credentials • Prevent Brute Force attacks that use stolen credentials • Eliminate time-consuming manual tuning for App-layer DoS protection Defend against bots • Proactive bot defense • Anti-bot mobile SDK • Client and server monitoring Protect apps from DoS • Auto-tuning • Behavioral analytics • Dynamic signatures Prevent Account Takeover • App-level encryption • Mobile app tampering • Brute Force protection Mobile Bot Mitigation Credential Protection App-Layer DoS Hacker Anti-bot Mobile SDK Bots F5 Advanced WAF Users credentials
  48. 48. F5 ASM L7 DDoS (BaDos Limited) Base ADC Anti Bot ASM
  49. 49. F5 Advanced WAF L7 DDoS (BaDos Limited) Base ADC Anti Bot ASM DataSafe BaDoS Unlimited Credential Stuffing (S) (A) Anti. Bot Mobile (S)ubscription License (A)dd On License(I)ncluded in the AWAF Threat Campaigns (S) (A) API Security Upstream Signaling C. Device ID (S)
  50. 50. What are LTM features available on ASM? Starting with BIG-IP ASM version 13.1.0.1 The following LB capabilities have been added to ASM (with no need for LTM license) • Up to 3 Pool Members • LB Methods Supported • Round Robin • Ratio (member) • Ratio (Node)
  51. 51. What are LTM features available on AWAF? Starting with BIG-IP version 13.1.0.2 the following LTM features are part of AWAF (Advanced WAF) license: Load Balancing • No limit on IP Pool Members number • LB Methods Supported • Round Robin • Ratio (member) • Least Connections (member) • Ratio (node) • Least Connections (node) • Weighted Least Connection (member) • Weighted Least Connection (node) • Ratio Least Connection (member) • Ratio Least Connection (node) Persistency • Cookie Persistency • Source Address • Host • Destination Address
  52. 52. Summary
  53. 53. Hybrid DDoS Protection Fraud Prevention Access Control Powerful WAF
  54. 54. ANTI- DDoS APP INFRASTRUCTURE ANTI-DDoS DNSTLS/SSL ADVANCED WEB APPLICATION FIREWALL Web Application Attacks App Infrastructure Attacks DDoS Attacks Client-Side Attacks ANTI-DDoS BOT DEFENSE CREDENTIAL PROTECTION WEB ACCESS MANAGEMENT WAF IDENTITY ACCESS MGMT IAM DDoS Hybrid Defender Advanced WAF Access Management SSL Orchestrator

×