A Practical Guide To Web Application Security

A Practical Guide to Web Application Security
Mitigating the OWASP Ten Most Critical Web Application Security Problems with Check Point Solutions
In This Document Introduction 2 The Top 10 Web Application Vulnerabilities and Their Remedies 1: Unvalidated Input 3 2: Broken Access Control 4 3: Broken Account and Session Management 5 4: Cross-site scripting (XSS) Flaws 5 5: Buffer Overows 6 6: Injection Flaws 6 7: Improper Error Handling 7 8: Insecure Storage 8 9: Denial of Service 9 10: Insecure Conguration Management 9
2004 Check Point Software Technologies Ltd.
Introduction
IT security managers face constantly changing and increasingly more sophisticated challenges. For instance, at one time their concern over Internet security was focused primarily on perimeter network security. But Internet security has long since grown beyond the network perimeter. Fundamental Internet services (email, FTP, HTTP, and Telnet) have been eclipsed by a plethora of dynamic Web applications, servers, and databases that are available 24x7. These represent the infrastructure of the digital economy, making them a very attractive target for hackers. Having grown beyond the network layer, Internet security now encompasses distinct requirements for perimeter, internal, and Web application security. As Web applications become increasingly prevalent, so do the security risks and requirements for comprehensive Web security solutions. The Open Web Application Security Project (OWASP), a group dedicated to helping organizations recognize the security challenges intrinsic to Web applications and Web services, has documented these challenges. The OWASP Ten Most Critical Web Application Security Vulnerabilities: 2004 Update lists vulnerabilities of which every network security manager should be aware. (The document is available at http://www.owasp.org/ documentation/topten.) The OWASP Top Ten identies vulnerabilities, or security aws, to which the majority of successful Internet-based attacks can be traced. The list focuses on vulnerabilities at the code level of applications. Usually, mitigation of such a wide range of vulnerabilities would require the deployment of multiple tools and techniques, often based on different technologies. This paper outlines how to approach each of the OWASP Top Ten Web application vulnerabilities using Check Point intelligent solutions for perimeter, internal, and Web security. An important aspect of the Check Point approach is the ability to offer security without losing connectivity, because blocking an essential service to protect against a specic attack is rarely an acceptable solution. The methods described focus primarily on how Check Point SmartDefensecentralized point of control against attacksand Web Intelligencea Web application rewall technologycan efciently and powerfully secure Web applications, before an attack can occur. Web Intelligence enables customers to congure, enforce, and update attack protections for Web servers and applications. Web Intelligence protections are designed specically for Web-based attacks and compliment the network and application level protections offered by SmartDefense. In addition, information and new attack defenses for Web Intelligence are provided online as part of Check Points SmartDefense Service. Web Intelligence protects against a range of known attacks, from attacks on the Web server itself to attacks on databases used by Web applications. In addition, Web Intelligence incorporates intelligent security technologies that protect against entire categories of emerging or unknown attacks. Web Intelligence features Check Points Malicious Code Protector, Streaming Technologies, and Application Intelligence technologies.
The Top 10 Web Application Vulnerabilities and Their Remedies

Vulnerability 1: Unvalidated Input
Summary Web applications use input from HTTP requests to determine how to respond to them. HTTP information can be encoded in many different ways. Far too often, information from Web requests is not validated before being used by a Web application. Attackers can therefore tamper with any part of an HTTP requestincluding, for example, the URL, query string, or headersto try to bypass the Web applications security mechanisms. Challenges This vulnerability impacts most Web applications and Web servers. Most Web applications require some form of user input. In addition, most Web applications are built in a multi-tier architecture, which makes it extremely difcult to predict how user input will be used across all tiers. Attackers can exploit these aws to attack backend components through a Web application. Check Point Solution Two basic approaches are used for validating input. Application Intelligence validates compliance to protocol and application settings. Web Intelligence looks for suspicious patterns within the HTTP request and parameters. Both approaches are used to assure proper parameter validation. The specic attack protections include the following: Web Intelligence validates that the HTTP request and response are valid according to the HTTP RFC SQL and Command Injection Attacks are blocked by looking for keywords. Keywords are traced in form elds either in GET or POST request, inside the URL or the HTTP request body. Keyword lists are precongured, and users only need to set the security level on HIGH\MEDIUM\LOW. When a higher security level is used, keywords that are less indicative of an attack are also examined. Web URL blocking is performed using kernel-based streaming technology that allows the user to dene specic paths should be blocked. It is also possible to name and block specic HTTP methods. HTTP requests that contain ASCII-only characters are limited and therefore the ability to inject malicious code to request headers as well as form elds is blocked. The following diagram shows different conguration examples.
Example conguration: SQL Injection protection
Vulnerability 2: Broken Access Control

Summary Vulnerability occurs when restrictions on what authenticated users are allowed to do are not properly enforced. Attackers can exploit this aw to access other users accounts, view sensitive les, or use unauthorized functions. Challenges Each Web application has an authorization scheme, whether implicit or explicit. While such schemes appear simple to construct, many have a model that can be easily bypassed. Common problems include directory traversal techniques, default le permmisions, and insecure user IDs. Check Point Solution Combined with other Web application-based security methods Web Intelligence provides protection against ows that allow authorized users to gain additional unwarranted access rights. Examples can include the following: Directory traversal protection--Ensures the URL path and host are normalized in order to prevent the various methods of directory traversal attacks. Decoding--Ensures URLs are canonized and normalized before enforcement for all encoding types. This process prevents HTTP evasion attacks. Enforcing HTTP protocol validity prevents hacking at the protocol level--for example, using the null character within a URL can easily fool an authorization mechanism that is based on URLs The following diagram shows different conguration examples.
Directory Traversal Protection
Vulnerability 3: Broken Account and Session Management

Summary Account credentials and session tokens that are not properly protected are another type of vulnerability specied by OWASP. Attackers who can compromise passwords, keys, session cookies, or other tokens can defeat authentication restrictions and assume other users identities. Challenges Authentication is one part of the Web security process, but even solid authentication mechanisms can be undermined by awed credential management functions. Ensuring consistent and strong authenticaiton security across multiple platforms can be difcult and may not be consistent from Web application to application. There is a need to provide a strong authentication process that is not part of the Web application itself. Managing active sessions requires a strong session identier that cannot be guessed, hijacked, or captured. Check Point Solution Check Point offers several solutions to help a Web application keep user names, passwords, and sessions safe. This solution includes VPN-1 (with integrated FireWall-1 functionality) supports multiple authentication schemes, and password and user-name storage techniques (including LDAP, Windows, Radius, Citrix, SecureId, etc.) that allow for safe encrypted storage of user information.
Vulnerability 4: Cross-site Scripting (XSS) Flaws

Summary Web applications can be used as a mechanism to transport an attack to an end users browser. A successful attack can disclose the end users session token, attack the local machine, or spoof content to fool the user. Challenges Developers tend not to be aware of this type of attack and perform no input validation to prevent cross-site scripting. Such vulnerabilities occur when user input is combined in an HTML page sent to another user. By injecting hostile script into the HTML, the attacker can run arbitrary JavaScript code. While browser-scripting language is limited in nature, it does allow full privileges to attack user information. Check Point Solution The INSPECT engine, on which SmartDefense and Web Intelligence are based, protects Web applications. If scripting code cannot be injected into the Web application, it cannot harm the end user. This approach is critical because once the code is uploaded to the Web server it is impossible to distinguish from legal scripting code that belongs to the Web application. Web Intelligence gives the administrator three levels of rejecting scripts (High, Medium, Low). The prudent approach is to reject all HTTP requests that contain the < or > characters (Medium Level). However, this approach can block access to pages that contain innocent tags, such as <Title>. An alternative and less strict approach is to reject any occurrence of a request that contains one of the default banned tags (Low Level). At the HIGH security level, the &lt and &gt keywords are also blocked, although they are legal, because some applications commonly misinterpret them. Web Intelligence looks for multiple keywords that can be used for scripting code, both JavaScript commands, events that can trigger scripting engine and HTML attributes and tags.
Vulnerability 5: Buffer Overows

Summary Web application components in some languages that do not properly validate input can be crashed and, in some cases, used to take control of a process. These components can include CGI, libraries, drivers, and Web application server components. Challenges Buffer overruns represent one the hardest programming problems to avoid. It also presents a high risk because with some effort arbitrary code can run on the Web application host machine. Unfortunately, such attacks are very common. Some even include automatic propagation mechanisms that allow an attacker to infect whole networks within minutes. Check Point Solution Check Point Web Intelligence allows blocking of known and unknown buffer overows. The revolutionary, patent-pending Malicious Code Protector in Web Intelligence looks for unknown buffer overows by actually looking for malicious executables embedded in Web trafc. While detecting unknown buffer overows is difcult, basic steps can be used to make their use much harder for the attacker. In addition to Malicious Code Protector, both Application Intelligence and Web Intelligence can Detect worm encoding variants Detect cross-protocol worms which propagate through different methods, including le sharing over HTTP Be updated for new worm patterns and classes In addition to the Malicious Code Protector capabilities, Web Intelligence implements pre-emptive attack protection against unknown attacks by Limiting the maximum URL and HTTP headers limits, thus minimizing the chance that executable code can be run if an overow does occur. Disallowing usage of binary characters in requests to make assembly of executable code much harder for the attacker. Blocking binary characters in Web forms extends this protection to Web applications. Blocking binary characters in Web forms.
Vulnerability 6: Injection Flaws

Summary Web applications commonly call on and pass parameters to the Web servers operating system and other external applications. If an attacker can embed malicious commands in these parameters, the external system may execute those commands on behalf of the Web application. Challenges Command injection techniques use Web applications that lack proper input validation to attack N-tier applications. For example, passing user supplied arguments unchecked to the command line interpreter allows the user to run commands of his own choice on the Web server. This is a very powerful attack, which is quite common and quite easy for an attacker to detect and exploit. Check Point Solution When susceptible operating system commands are issued in application requests, they are blocked by Web Intelligence. Web Intelligence provides the administrator three options for rejecting command injections.
2004 Check Point Software Technologies Ltd. 6
At the HIGH security level setting, requests are blocked when any type of quotes is used in the request. Quotes are usually used to break out of the scope of string concatenation. The MEDIUM level setting is to reject all HTTP requests that contain operating system commands that are distinctive to command injection or non-distinctive words that are found within quotes. The LOW level setting rejects all HTTP requests that contain distinctive operating system commands. Command injection protection has other useful features. Support for multiple requests in the same connection Support during GET & POST form submission Logging of attack attempts Ability to set different congurations for each Web server
Vulnerability 7: Improper Error Handling

Summary Error messages generated by Web applications can provide useful information to a hacker. By causing and analyzing error messages from a target, including errors generated by a protective security solution, a hacker gains insightful information on the products and technologies used by the installation. This information helps hackers tailor the exploits and attacks that are effective for that installation. Hackers can deny service, cause security mechanisms to fail, or crash the server. Challenges Web security systems are designed to block and prevent a hacker from attacking a Web application. However, how a security solution handles the blocked attack can also indicate to a hacker that a particular defense is deployed and even information on the vendor and version being used. This information can be used to attack the Web security solution itself. Check Point Solution Web Intelligence addresses error concealment by ensuring that hackers do not receive useful information on attacks blocked by Web Intelligence. By default, Web Intelligence simply blocks connections when an attack is detected, providing no useful information to the attacker. However, in some cases it is useful to inform the user that there is a security violation. This is useful when users call a help desk when a connection is lost. In this case, Web Intelligence can generate either a custom or generic HTML error page to inform the end user of the security violation along with a random ID. This ID number can be checked against logs to determine the reason for the blocked connection. This ensures the concealment of Web Intelligence while providing a support mechanism for an IT staff.
Custom HTML Error Page
Vulnerability 8: Insecure Storage

Summary Web applications frequently use cryptographic functions to protect information and credentials. These functions and the code to integrate them have proven difcult to code properly, frequently resulting in weak protection. Challenges Developers who are not trained in cryptographic programming are likely to make serious mistakes in the implementation of encryption functionality in Web applications. Such mistakes include Insecure storage of keys, certicates, and passwords Poor sources of randomness Attempting to invent a new encryption algorithm Failure to include support for encryption key changes and other required maintenance procedures Check Point Solution Check Point has a long tradition of expertise and innovation in the eld of cryptography. Its products include built-in support for protocols such as DES, DES3, AES, IPSEC, SSL, TLS, etc. Check Point products also provide the highest level of security and management capabilities for encryption functions, so that the burden of implementation cryptographic functionality is shifted from the Web application developer to Check Point. For Web applications the following solutions are available: The use of clientless VPN allows SSL termination of Web applications. Use of IPSEC VPNs allows excellent protection of communication which is transparent to Web applications.
Vulnerability 9: Denial of Service

Summary Attackers can consume Web application resources to a point where other legitimate users can no longer access or use the application. Attackers can also lock users out of their accounts or even cause the entire application to fail. Challenges Web applications are particularly susceptible to application-based denial of service (DoS) attacks. Such attacks can be launched by simply opening too many requests. A single host can generate enough requests to consume all available resources from the Web and application server. It is very difcult for the Web server to distinguish between a legitimate request and an attack. Check Point Solution Using the same foundations and methodologies of NG with Application Intelligence, Web Intelligence veries that a request is not malformed. This prevents most of the known HTTP attacks. In addition, due to the integration with SmartDefense, network-based attacks are easily mitigated. Using FloodGateCheck Points policy-based management solution--one can limit the throughput and bandwidth consumption of a specic URL and even put a quota on the amount of network sessions from a specic host, excluding known hosts.
Vulnerability 10: Insecure Conguration Management

Summary Having a strong server conguration standard is critical to a secure Web application. Servers can have many conguration options that affect security and are not secure out-of-the-box. Challenges Conguring a modern Web application server and keeping it up-to-date with security patches can be a difcult task. This task is usually performed by Web developers whose main concern is application up-time. Multiple vulnerabilities can stem from improper congurations, under-used features that are enabled, sample les and executables left untouched, and unpatched server software. Check Points Solutions SmartDefense Header Cloaking allows administrators to hide the identity of the Web server from automatic scripts running across the Internet looking for vulnerable Web servers. While a dedicated hacker who targets your application can still identify the Web server type, most attacks come from script kiddies or worms that run automated scripting. Header Cloaking can easily fool many of these tools. The worm-catching capabilities in Check Point products ensure that even if your Web servers are not current with all patches, you are still protected from known worms. The SmartDefense Service ensures that your arsenal remains up-do-date with new patterns and defenses. Conclusion The vulnerabilities described by the OWASP Top Ten form the basis for most Internet-based attack exploits. Safeguarding against all 10 vulnerabilities goes a long way in protecting your network and data from malicious hackers. Check Point, by providing the products and tools necessary to defend against all 10 vulnerabilities, creates an comprehensive, easy-to-use, and easy-toadminister security solution for our customers. Note: Check Point solutions provide protection against additional attacks that are beyond the scope of the OWASP Top 10 (e.g., SYN oods, fragmentation attacks, DDoS, etc.), and therefore are not detailed in this paper.
2004 Check Point Software Technologies Ltd. 9
About Check Point Software Technologies

Check Point Software Technologies (www.checkpoint.com) is the worldwide leader in securing the Internet. It is the conrmed market leader of both the worldwide VPN and rewall markets. Through its Next Generation product line, the company delivers a broad range ontelligentPerimeter, Internal and Web security solutions that protect business communications and resources for corporate networks and applications, remote employees, branch ofces and partner extranets. The companys Zone Labs (www.zonelabs.com) division is one of the most trusted brands in Internet security, creating awardwinning endpoint security solutions that protect millions of PCs from hackers, spyware and data theft. Extending the power of the Check Point solution is its Open Platform for Security (OPSEC), the industrys framework and alliance for integration and interoperability with best-of-breed solutions from over 350 leading companies. Check Point solutions are sold, integrated and serviced by a network of more than 2,300 Check Point partners in 92 countries.
CHECK POINT OFFICES: International Headquarters: 3A Jabotinsky Street, 24th Floor Ramat Gan 52520, Israel Tel: 972-3-753 4555 Fax: 972-3-575 9256 e-mail: info@CheckPoint.com U.S. Headquarters: 800 Bridge Parkway Redwood City, CA 94065 Tel: 800-429-4391 ; 650-628-2000 Fax: 650-654-4233 URL: http://www.checkpoint.com
2004 Check Point Software Technologies Ltd. All rights reserved. Check Point, Application Intelligence, Check Point Express, the Check Point logo, ClusterXL, ConnectControl, Connectra, CoSa, Cooperative Security Alliance, FireWall-1, FireWall-1 GX, FireWall-1 SecureServer, FloodGate-1, Hacker ID, INSPECT, INSPECT XL, InterSpect, IQ Engine, Open Security Extension, OPSEC, Provider-1, Safe@Home, Safe@Ofce, SecureClient, SecureKnowledge, SecurePlatform, SecurRemote, SecurServer, SecureUpdate, SecureXL, SiteManager-1, SmartCenter, SmartCenter Pro, SmartDashboard, SmartDefense, SmartLSM, SmartMap, SmartUpdate, SmartView, SmartView Monitor, SmartView Reporter, SmartView Status, SmartViewTracker, SofaWare, SSL Network Extender, UAM, User-to-Address Mapping, UserAuthority, VPN-1, VPN-1 Accelerator Card, VPN-1 Edge, VPN-1 Pro, VPN-1 SecureClient, VPN-1 SecuRemote, VPN-1 SecureServer, VPN-1 VSX, Web Intelligence, TrueVector, ZoneAlarm, Zone Alarm Pro, Zone Labs, the Zone Labs logo, AlertAdvisor, Cooperative Enforcement, IMsecure, Policy Lifecycle Management, Zone Labs Integrity and Smarter Security are trade-marks or registered trademarks of Check Point Software Technologies Ltd. or its afliates. All other product names mentioned herein are trademarks or registered trademarks of their respective owners. The products described in this document are protected by U.S. Patent No. 5,606,668, 5,835,726 and 6,496,935 and may be protected by other U.S. Patents, foreign patents, or pending applications. June XX, 2004 PN: 000000
10

A Practical Guide To Web Application Security

Hochgeladen von

Dokumentinformationen

Originalbeschreibung:

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

A Practical Guide To Web Application Security

Hochgeladen von

Copyright:

Verfügbare Formate

A Practical Guide to Web Application Security

2004 Check Point Software Technologies Ltd.