Beruflich Dokumente
Kultur Dokumente
CONTACT
SALES
Services t
Solutions
An Analysis of N-Tier Web Application Attack Surfaces
About Us t
Resources
August16,2016
Knowledge Database
Categories:Developer,ThreatModeling,WebApplicationSecurity
Tags:attacksurface,evolvingexplorer
Support s
Webapplicationshavemanychannelsandinteractionpointsthatexisttoreceiveinputdataortodeliveroutputdata.Attackersfindw aystoleverage
Contact Us s
thesechannelsandinteractionpointsbyunderstandingsystembehaviorw hereinputsaresuppliedandoutputsarereceived.Thisdefinesanattack
surfaceofanapplication.
Careers s
Blog s ithinthethreatmodelingprocessandinvolvesthreekeysteps:
Analyzingtheattacksurfacesiscriticalw
odlnf
1. Identifytheattacksurfaces.
2. Identifythreatsontheattacksurfaces.
3. Measurethecontrolsontheattacksurfaces.
WhileanalyzinganNTierWebapplication,itsimportanttoconsiderthefollow ingattacksurfacesandtheirelements:
hj
p Web:InWebattacksurfaces,itsimportanttoidentifyhow users(orotherclients)interactw iththeapplication.
p User/admininterfaces
p WebservicesAPI(SOAPrequest/JSONrequest)
p HTTPheader/cookies
p HTML5localstorage
WefocusonWebattacksurfaceswithintheexamplespresentedinthispost.ThesameprincipleswellwalkthroughinvolvingWeb
attacksurfacesarealsotrueofthefollowingattacksurfacesaswell.
p Enterpriseservicebus
p Services
p Datatier:Dataatrestisanimportantattacksurfacetoconsider,nomatterw hetheritinvolvesclientdataorevenapplicationlogs.
p Database
p Files
p Logs
p Technology:Itisalsoimportanttolistoutdifferenttechnologythroughw hichinteractionoccurs.
p Netw orkelements(loadbalancer,reverseproxies,WAFs,etc.)
p Programminglanguages
p Toolkit
p Framew orks
p Designpatterns
p Interactionmodel:Documentingthisbehaviorhelpsdrivesecuritytesting(asynchronous,synchronous,transactional,etc.)aspartofthesecure
SDLC.
Anapplicationarchitecturediagramplaysavitalroleintheidentificationandanalysisoftheattacksurfaceelements.Whileleveragingadeveloper
centricapplicationarchitecturediagramasafoundationalunderstandingofsystembehaviorisagreatstart,inordertoidentifyandextractelementsof
anattacksurfaceview ,adevelopercentricdiagramisntenoughtosupportaholisticthreatmodel.Thediagrambelow illustratesalltheentitiesthatare
identifiedintheattacksurfacesdiscussedabove.
CONTACT
SALES
hj
https://www.cigital.com/blog/ntierwebapplicationattacksurfaces/ 2/9
2/6/2017 AnAnalysisofNTierWebApplicationAttackSurfaces| Cigital
p Couldmaliciousintentorineptbehaviorturnauserintoathreat?
p Arethereanyresourcesorinterfaces(atanylevelofOSIstack)threatsthatcouldbeusedtogainaccesstothesystem?
p Istherepotentialtoconductaconcertedand/orpersistenteffortcapableofaccessingsystemresourcesorinterfaces?
hj
Threatsidentifiedinthisdiagram(illustratedinred)include:
CONTACT
SALES
p Malicioususer
p MaliciousCSR
p Rogueclient
p Maninthemiddle(MITM)
https://www.cigital.com/blog/ntierwebapplicationattacksurfaces/ 3/9
2/6/2017 AnAnalysisofNTierWebApplicationAttackSurfaces| Cigital
p Malicious3rdparty(capableofclientside/DOMinjections)
Asanexample,letsconcentrateonWebattacksurface.
p Singlefactorauthentication
p Tw ofactorauthentication
p Singlesignon
p Rolebased(i.e.aparticularRESTAPIcall)
p Permissionbased(i.e.adminview softendifferfromuserview s)
MaliciousUser AuthenticationandAuthorization
MaliciousCSR AuthenticationandAuthorization
RogueClient IPValidation/MutualSSL
Maninthemiddle(MITM) HTTPS
Malicious3rdParty(capableofclientside/DOMinjections) ClientsideHTMLandJavaScriptEncoding
CONTACT
SALES
hj
https://www.cigital.com/blog/ntierwebapplicationattacksurfaces/ 4/9
2/6/2017 AnAnalysisofNTierWebApplicationAttackSurfaces| Cigital
Where(attack
Who(threats) Controls
surface)
Enumerationofanapplicationsattacksurfacesisacriticalstepwithinthethreatmodelingexercise.Identificationof
potentialthreatsontheseattacksurfaceshelpsanalystsrecommendappropriatesecuritycontrolsintheeventthat
theyareinsufficientornonexistent.Wheneverthereisachangeintheapplicationarchitecture,whetheritisthe
creationofnewentry/exitpointsorachangeinsystembehavior(includingtechnology),itisimportanttoreexamine
theattacksurfaces.
CONTACT
SALES
hj
Get your bearings straight with all things related to threat modeling.
DOWNLOADTHEEBOOK
https://www.cigital.com/blog/ntierwebapplicationattacksurfaces/ 5/9
2/6/2017 AnAnalysisofNTierWebApplicationAttackSurfaces| Cigital
ByVinayVishw anatha
SeniorConsultant
View Bio q
Ourexpertsalsoprovideremediationguidance,programdesignservices,andtrainingthatempoweryoutobuildandmaintainsecure
applications.
LearnMore s
https://www.cigital.com/blog/ntierwebapplicationattacksurfaces/ 6/9
2/6/2017 AnAnalysisofNTierWebApplicationAttackSurfaces| Cigital
Email *
SUBSCRIBE
2016inReview:CigitalCTOHighlightsoftheYear
December7,2016
LessonsLearnedFromThisYearsBiggestSecurityBreaches
December5,2016
TopCyberSecurityTrendsof2016
December2,2016
IfYoureOnlyasStrongasYourAllies,ShouldYouTrustThirdPartyCode?
November30,2016
VIEW MORE
Archives
2016 136
2015 115
2014 44
2013
2012
8
4
CONTACT
SALES
hj
2011 9
2010 2
2009 4
2008 4
2007 9
2006 1
https://www.cigital.com/blog/ntierwebapplicationattacksurfaces/ 7/9
2/6/2017 AnAnalysisofNTierWebApplicationAttackSurfaces| Cigital
2006 1
2004 4
Categories
Categories SelectCategory
#RSACisnextweek!Stopbybooths1933&1939tolearnaboutthemostcomprehensivesoftwaresecuritysolution.
@SW_Integrity@synopsys
Yesterdayat9:11am
#RSACisinlessthan2weeks!JointheCigitaland@SW_Integrityteamsatbooths1933/1939tolearnaboutour#appsec
solutions!
February5,20176:11pm
@cigitaland@codiscopearenowpartofSynopsys.Startfollowingus@SW_Integrity
February4,201711:12am
#RSACisinlessthan2weeks!JointheCigitaland@SW_Integrityteamsatbooths1933/1939tolearnaboutour#appsec
solutions!
February3,20173:11pm
CONTACT
SALES
hj
https://www.cigital.com/blog/ntierwebapplicationattacksurfaces/ 8/9
2/6/2017 AnAnalysisofNTierWebApplicationAttackSurfaces| Cigital
CONTACT
SALES
hj
https://www.cigital.com/blog/ntierwebapplicationattacksurfaces/ 9/9