hj

2/6/2017 AnAnalysisofNTierWebApplicationAttackSurfaces| Cigital

CONTACT
SALES

Services t
Solutions
An Analysis of N-Tier Web Application Attack Surfaces
About Us t
Resources

August16,2016
Knowledge Database
Categories:Developer,ThreatModeling,WebApplicationSecurity
Tags:attacksurface,evolvingexplorer
Support s
Webapplicationshavemanychannelsandinteractionpointsthatexisttoreceiveinputdataortodeliveroutputdata.Attackersfindw aystoleverage
Contact Us s
thesechannelsandinteractionpointsbyunderstandingsystembehaviorw hereinputsaresuppliedandoutputsarereceived.Thisdefinesanattack
surfaceofanapplication.
Careers s
Blog s ithinthethreatmodelingprocessandinvolvesthreekeysteps:
Analyzingtheattacksurfacesiscriticalw

odlnf
1. Identifytheattacksurfaces.
2. Identifythreatsontheattacksurfaces.

3. Measurethecontrolsontheattacksurfaces.

Here,w ellexaminehow eachofthesekeystepsishighlyvaluabletotheoverallthreatmodel.

Identify the attack surfaces.

Identifyinganddefiningattacksurfaceelementsrequiresenumeratingallentryandexitpointsofanapplication.Alongw iththeinteractionchannels
(show ninthesamplediagrambelow ),considerbothsupportingtechnologyandsystembehaviorinthisprocess.

A developer-centric application architecture diagram

https://www.cigital.com/blog/ntierwebapplicationattacksurfaces/
CONTACT
SALES
hj 1/9
2/6/2017 AnAnalysisofNTierWebApplicationAttackSurfaces| Cigital

WhileanalyzinganNTierWebapplication,itsimportanttoconsiderthefollow ingattacksurfacesandtheirelements:
hj
p Web:InWebattacksurfaces,itsimportanttoidentifyhow users(orotherclients)interactw iththeapplication.

p User/admininterfaces

p WebservicesAPI(SOAPrequest/JSONrequest)

p HTTPheader/cookies

p HTML5localstorage

WefocusonWebattacksurfaceswithintheexamplespresentedinthispost.ThesameprincipleswellwalkthroughinvolvingWeb
attacksurfacesarealsotrueofthefollowingattacksurfacesaswell.

p Middlew are/services:Consistsofinterfacesw ithsubsystemsandotherdow nstreamapplications.

p Enterpriseservicebus

p Services

p Datatier:Dataatrestisanimportantattacksurfacetoconsider,nomatterw hetheritinvolvesclientdataorevenapplicationlogs.

p Database

p Files

p Logs

p Technology:Itisalsoimportanttolistoutdifferenttechnologythroughw hichinteractionoccurs.

p Netw orkelements(loadbalancer,reverseproxies,WAFs,etc.)

p Programminglanguages

p Toolkit

p Framew orks

p Designpatterns

p Interactionmodel:Documentingthisbehaviorhelpsdrivesecuritytesting(asynchronous,synchronous,transactional,etc.)aspartofthesecure
SDLC.

Anapplicationarchitecturediagramplaysavitalroleintheidentificationandanalysisoftheattacksurfaceelements.Whileleveragingadeveloper
centricapplicationarchitecturediagramasafoundationalunderstandingofsystembehaviorisagreatstart,inordertoidentifyandextractelementsof
anattacksurfaceview ,adevelopercentricdiagramisntenoughtosupportaholisticthreatmodel.Thediagrambelow illustratesalltheentitiesthatare
identifiedintheattacksurfacesdiscussedabove.

CONTACT
SALES
hj
https://www.cigital.com/blog/ntierwebapplicationattacksurfaces/ 2/9
2/6/2017 AnAnalysisofNTierWebApplicationAttackSurfaces| Cigital

Identification of entry/exit points and technologies/protocols used

Identify the threats on the attack surfaces.

Whenenumeratingthreats,considerthefollow ing:

p Couldmaliciousintentorineptbehaviorturnauserintoathreat?

p Arethereanyresourcesorinterfaces(atanylevelofOSIstack)threatsthatcouldbeusedtogainaccesstothesystem?

p Istherepotentialtoconductaconcertedand/orpersistenteffortcapableofaccessingsystemresourcesorinterfaces?

Threats relative to the Web attack surface

hj
Threatsidentifiedinthisdiagram(illustratedinred)include:

CONTACT
SALES
p Malicioususer

p MaliciousCSR

p Rogueclient

p Maninthemiddle(MITM)

https://www.cigital.com/blog/ntierwebapplicationattacksurfaces/ 3/9
2/6/2017 AnAnalysisofNTierWebApplicationAttackSurfaces| Cigital
p Malicious3rdparty(capableofclientside/DOMinjections)

Measure controls on the attack surfaces.

Oncetheattacksurfacesandrespectivethreatsareidentified,itstimetomeasuretheeffectivenessofthecontrolscurrentlyinplacetoprotectagainst
thosethreats.

Asanexample,letsconcentrateonWebattacksurface.

Userauthenticationandauthorizationalw aysfallsinthefirstlineofdefense.Itsimportanttodocumentinstancesw hereauthenticationoccursand

w hereitgatesaccesstoresourcesorotherattacksurfaces.

Considerthefollow ingm odesofuserauthentication:

p Singlefactorauthentication

p Tw ofactorauthentication

p Singlesignon

Considerthefollow ingm odesofuserauthorization:

p Rolebased(i.e.aparticularRESTAPIcall)

p Permissionbased(i.e.adminview softendifferfromuserview s)

Similarly,foreverythreatidentifiedw ithinanattacksurface,w ehavetocheckw hatcontrolmechanismhasbeenimplemented.

MaliciousUser AuthenticationandAuthorization

MaliciousCSR AuthenticationandAuthorization

RogueClient IPValidation/MutualSSL

Maninthemiddle(MITM) HTTPS

Malicious3rdParty(capableofclientside/DOMinjections) ClientsideHTMLandJavaScriptEncoding

CONTACT
SALES
hj
https://www.cigital.com/blog/ntierwebapplicationattacksurfaces/ 4/9
2/6/2017 AnAnalysisofNTierWebApplicationAttackSurfaces| Cigital

Controls identified on Web attack surface threats

The attack surface overview.

Eachitemrepresentedvisuallyw ithinathreatmodelcanalsoberepresentedinatabularform.Inthecaseofanattacksurface,thesearerepresented
inthewherecolumn:

Where(attack
Who(threats) Controls
surface)

MaliciousUser UsersBrowser Authenticationand

Authorization

MaliciousCSR CSRsBrowser Authenticationand

Authorization

ManintheMiddle(MITM) Internet(MITM) IPValidation

RogueClient WebServiceClient HTTPS

Malicious3rdParty(capableofclientside/DOM UsersBrowser InputValidation/Output

injections) CSRsBrowser Encoding

Enumerationofanapplicationsattacksurfacesisacriticalstepwithinthethreatmodelingexercise.Identificationof
potentialthreatsontheseattacksurfaceshelpsanalystsrecommendappropriatesecuritycontrolsintheeventthat
theyareinsufficientornonexistent.Wheneverthereisachangeintheapplicationarchitecture,whetheritisthe

creationofnewentry/exitpointsorachangeinsystembehavior(includingtechnology),itisimportanttoreexamine
theattacksurfaces.
CONTACT
SALES
hj
Get your bearings straight with all things related to threat modeling.

DOWNLOADTHEEBOOK

https://www.cigital.com/blog/ntierwebapplicationattacksurfaces/ 5/9
2/6/2017 AnAnalysisofNTierWebApplicationAttackSurfaces| Cigital
ByVinayVishw anatha
SeniorConsultant
View Bio q

About Cigital CONTACT

SALES
hj
Cigitalisoneoftheworldslargestapplicationsecurityfirms.Wegobeyondtraditionaltestingservicestohelpourclientsidentify,
remediate,andpreventvulnerabilitiesintheapplicationsthatpowertheirbusiness.

Ourexpertsalsoprovideremediationguidance,programdesignservices,andtrainingthatempoweryoutobuildandmaintainsecure
applications.

LearnMore s

https://www.cigital.com/blog/ntierwebapplicationattacksurfaces/ 6/9
2/6/2017 AnAnalysisofNTierWebApplicationAttackSurfaces| Cigital

Subscribe to our Blog

Email *

SUBSCRIBE

Recent Blog Posts

2016inReview:CigitalCTOHighlightsoftheYear
December7,2016

LessonsLearnedFromThisYearsBiggestSecurityBreaches
December5,2016

TopCyberSecurityTrendsof2016
December2,2016

IfYoureOnlyasStrongasYourAllies,ShouldYouTrustThirdPartyCode?
November30,2016

VIEW MORE

Archives

2016 136

2015 115

2014 44

2013

2012
8

4
CONTACT
SALES
hj
2011 9

2010 2

2009 4

2008 4

2007 9

2006 1
https://www.cigital.com/blog/ntierwebapplicationattacksurfaces/ 7/9
2/6/2017 AnAnalysisofNTierWebApplicationAttackSurfaces| Cigital
2006 1

2004 4

Categories

Categories SelectCategory

Latest Tweets from Cigital d

#CodenomiCON#cybersecurityeventiscomingtoNurembergonMarch14!Registerwhileyoustillcan!@SW_Integrity
bit.ly/2j0Q4Vt
Yesterdayat3:54pm

#RSACisnextweek!Stopbybooths1933&1939tolearnaboutthemostcomprehensivesoftwaresecuritysolution.
@SW_Integrity@synopsys
Yesterdayat9:11am

#RSACisinlessthan2weeks!JointheCigitaland@SW_Integrityteamsatbooths1933/1939tolearnaboutour#appsec
solutions!
February5,20176:11pm

@cigitaland@codiscopearenowpartofSynopsys.Startfollowingus@SW_Integrity
February4,201711:12am

#RSACisinlessthan2weeks!JointheCigitaland@SW_Integrityteamsatbooths1933/1939tolearnaboutour#appsec
solutions!
February3,20173:11pm

CONTACT
SALES
hj

https://www.cigital.com/blog/ntierwebapplicationattacksurfaces/ 8/9
2/6/2017 AnAnalysisofNTierWebApplicationAttackSurfaces| Cigital

CONTACT
SALES
hj

https://www.cigital.com/blog/ntierwebapplicationattacksurfaces/ 9/9