owasp top 10 - meetupfiles.meetup.com/12990252/owasp top 10 - effectiveness of wafs... · a7 -...
Post on 28-Feb-2019
225 Views
Preview:
TRANSCRIPT
OWASP Top 10Effectiveness of Web Application Firewalls
David Caissy
Copyright© 2016 Albero Solutions Inc. All rights reserved.
About Me
David Caissy
• Web App Penetration Tester
• IT Security Trainer:
• Developers
• Penetration Testers
Copyright© 2016 Albero Solutions Inc. All rights reserved.2
Before We Start…
French English
Voyons! Come on!
Copyright© 2016 Albero Solutions Inc. All rights reserved.3
My Problem…
When WAF vendors say:
“…enables organizations to protect against OWASP top 10 threats”
“…WAF to Protect Against OWASP Top 10 Threats”
“Full Coverage Out-of-the-box of OWASP Top-10 Threats”
Copyright© 2016 Albero Solutions Inc. All rights reserved.4
Web Application Firewalls vs OWASP Top 10
We are going to cover:
• Commercial vs Open Source WAFs
• WAF Filtering
• Effectiveness against the OWASP Top 10
Copyright© 2016 Albero Solutions Inc. All rights reserved.6
Web Application Firewalls (WAF)
• Specialized firewalls
• Understand web technologies (HTML, SQL, etc.)
• Intrusion Detection System (IDS)
–Raise alarms
• Intrusion Prevention System (IPS)
–Dynamically block malicious traffic
Copyright© 2016 Albero Solutions Inc. All rights reserved.7
Commercial WAFs
• Dynamic profiling
–Learn from "known good traffic"
• Central Management and Reporting
• Other functionalities
–Database Activity Monitoring (DAM)
–Anti-virus
Copyright© 2016 Albero Solutions Inc. All rights reserved.8
Open Source WAFs
• Free!
• Good community support
• Some are mature projects
–ModSecurity (Trustwave)
–IronBee (Qualys)
Copyright© 2016 Albero Solutions Inc. All rights reserved.9
Problem with Web Application Firewall Deployment
Copyright© 2016 Albero Solutions Inc. All rights reserved.10
Problem with Web Application Firewall Deployment
Copyright© 2016 Albero Solutions Inc. All rights reserved.11
• Firewall guys don’t know anything about web applications
• Developers don’t know anything about firewalls
• So who should deploy them?
The Threat
• Script kiddies and automated tools
• Hackers
• Advanced Persistent Threat (APT)
–Team of expert hackers
–Lots of resources
Copyright© 2016 Albero Solutions Inc. All rights reserved.12
Attacker's Perspective
1. Find out if there’s a WAF
2. Fingerprint WAF
3. Test WAF in a lab
4. Launch attacks
5. When blocked, change IP and start again!
Copyright© 2016 Albero Solutions Inc. All rights reserved.14
Defender's Perspective
• WAFs often protect many web applications
• No time for custom fine-tuning…
–Focus on basic configuration
• Often expected to replace proper application security
Copyright© 2016 Albero Solutions Inc. All rights reserved.16
Problems with WAF Filtering:They often don’t see attacks coming!!
Copyright© 2016 Albero Solutions Inc. All rights reserved.17
Problems with WAF Filtering
1. Useless against logical errors
Example: One-time use discount codes
Code Discount Min. Purchase
NEWCLIENT100 $10 off $100
NEWCLIENT300 $50 off $300
NEWCLIENT500 $100 off $500
Copyright© 2016 Albero Solutions Inc. All rights reserved.18
Problems with WAF Filtering
2. White listing (Positive Security Model)
–Requires time and effort
3. Black listing (Negative Security Model)
–Ok, but not perfect…
Copyright© 2016 Albero Solutions Inc. All rights reserved.19
Problems with Filtering
Example:
SQL Injection attack on an Search Address textbox:
Elm Street" UNION ALL SELECT pwd
FROM users WHERE username = "freddy" #
Blocked by the WAF !
Copyright© 2016 Albero Solutions Inc. All rights reserved.20
Problems with Filtering
• Hackers look for valid characters
• For a search field, these values are valid:•36 O'Connor Street
•1025-B Main Blvd., Ottawa (Ontario)
• Therefore WAFs must allow:Numbers and letters
These special characters: ' - . , ( )
Copyright© 2016 Albero Solutions Inc. All rights reserved.21
Problems with Filtering
So instead of: Elm Street" UNION ALL SELECT pass
FROM users WHERE username = "freddy" #
We can try:Elm Street' UNION ALL SELECT pass
FROM users WHERE username LIKE 'freddy' --
Copyright© 2016 Albero Solutions Inc. All rights reserved.22
Bypassing Signatures
Copyright© 2016 Albero Solutions Inc. All rights reserved.23
Various request notations with the same meaning:SELECT * FROM user WHERE username = '<inject here>'
user' OR mid(pwd,1,1)='*' #
user' OR mid(pwd,1,1) like '*' #
user' OR mid(pwd,1,1)=0x2a #
user' OR mid(pwd,1,1)=unhex('2a') #
user' OR find_in_set('2a',hex(mid(pwd,1,1)))=1 #
user' OR locate(0x2a,pwd)=1 #
user' OR position(0x2a in pwd)=1 #
user' OR mid(pwd,1,1) regexp '[*]' #
user' OR mid(pwd,1,1) rlike '[*]' #
user' OR ord(mid(pwd,1,1))=42 #
user' OR ascii(mid(pwd,1,1))=42 #
https://www.owasp.org/index.php/SQL_Injection_Bypassing_WAF
Hex value
Regular Expression
Decimal value
ASCII character
WAFs block the majority of attacks, very effective
WAFs block some attacks
WAFs are not effective safeguards
Copyright© 2016 Albero Solutions Inc. All rights reserved.25
WAFs vs OWASP Top 10
A1 - Injection Attacks
• SQL injection, command injection, etc.
• Malicious data sent to an interpreter
Copyright© 2016 Albero Solutions Inc. All rights reserved.26
A1 - Injection Attacks
WAFs will block or alert when:
–Parameter's length is too long
–Read-only parameters are changed
–Unexpected characters are found
–Malicious signatures are encountered
Copyright© 2016 Albero Solutions Inc. All rights reserved.27
A1 - Injection Attacks
WAFs are very good against injection attacks!
• Stop automated tools and script kiddies
• But they can sometime be bypassed by experts
Verdict
–Block most attacks
–Can sometime be bypass by expert hackers and APTs
Copyright© 2016 Albero Solutions Inc. All rights reserved.28
A2 – a) Session Management
Securing the HTTP Session
Copyright© 2016 Albero Solutions Inc. All rights reserved.29
A2 - a) Session Management
Commercial WAFs profile the application
–Identify read-only cookies
–Sign and encrypt cookies
With Database Activity Monitoring (DAM)
–Can match web sessions with database queries
Copyright© 2016 Albero Solutions Inc. All rights reserved.30
A2 - a) Session Management
WAFs can also:
• Track simultaneous user authentication from different IPs
• SSL Termination
• Traffic decryption
Copyright© 2016 Albero Solutions Inc. All rights reserved.31
A2 – b) Broken Authentication
Broken Authentication vulnerabilities are often logical flaws
Example:
–Invalid username and invalid password:
"Your username and your password are invalid"
–Valid username and invalid password:
"Your password is invalid"
–Vulnerable to account harvesting
Copyright© 2016 Albero Solutions Inc. All rights reserved.32
A3 - Cross-Site Scripting (XSS)
An attacker can:–Execute scripts in the victim's browser
–Hijack user sessions
–Deface web sites
<SCRIPT>alert("XSS");</SCRIPT>
Copyright© 2016 Albero Solutions Inc. All rights reserved.33
A3 - Cross-Site Scripting (XSS)
Three types of XSS:
1. Stored (Persistent)
2. Reflected (Non-Persistent)
3. Document Object Model (DOM-based)
Copyright© 2016 Albero Solutions Inc. All rights reserved.35
A3 - Cross-Site Scripting (XSS)
Reflected and Stored XSS:
1. User input is sent to the server for processing
2. Then it's sent back to the browser in a web page
Malicious code is executed in the victim's browser
Copyright© 2016 Albero Solutions Inc. All rights reserved.36
A3 - Cross-Site Scripting (XSS)
WAFs prevent Reflected and Stored XSS attacks using:
– Some white listing
– Mostly black listing
Bypassing filtering is difficult…
Overall, they are hard to beat!
Copyright© 2016 Albero Solutions Inc. All rights reserved.37
A3 - Cross-Site Scripting (XSS)
DOM-based XSS:
Usually exploited through JavaScript
1. User input is processed on the client-side
2. Then it's rendered directly in the web page
Copyright© 2016 Albero Solutions Inc. All rights reserved.38
A3 - Cross-Site Scripting (XSS)
DOM-based XSS:
– User input is reflected by JavaScript code, not the server
– No malicious code is sent to the server
What can a WAF do if no malicious code is going through it?
Copyright© 2016 Albero Solutions Inc. All rights reserved.39
A4 - Insecure Direct Object References
Direct access to an object without proper access control
Shopping Cart Id:
What if we change the cart id?
www.company.com/shoppingCartId=127
www.company.com/shoppingCartId=126
Copyright© 2016 Albero Solutions Inc. All rights reserved.41
A4 - Insecure Direct Object References
• Most WAFs are ineffective against these attacks
• Some commercial WAFs:
– Learn "normal" user activity
– Then block parameter tampering
• Combined with a database firewall
•Slightly improves detection
Copyright© 2016 Albero Solutions Inc. All rights reserved.42
A5 - Security Misconfiguration
Lack proper hardening
–Web server
–Database
–Application, including its framework
–Operating system
Examples include:
–Default accounts
–Unused services
–Missing patches
–Shared passwords
Copyright© 2016 Albero Solutions Inc. All rights reserved.43
A5 - Security Misconfiguration
Commercial WAFs integrate with web app vulnerability scanners
• Import scan results
• Dynamically generate rules
–Virtual patching
• But you need many expensive tools...
• Free WAFs don't support this feature
Copyright© 2016 Albero Solutions Inc. All rights reserved.44
A5 - Security Misconfiguration
Without importing vulnerability scan results
• Commercial WAFs block deviation from the norm
– Stops script kiddies and automated tools
– Not enough to stop most hackers...
• Open source WAFs are pretty defenseless...
Copyright© 2016 Albero Solutions Inc. All rights reserved.45
A5 - Security Misconfiguration
• Commercial WAFs +
Vuln scans +
Dynamic profiling
• Commercial WAFs +
Dynamic profiling
• Free and open source WAFs
Copyright© 2016 Albero Solutions Inc. All rights reserved.46
A6 - Sensitive Data Exposure
When sensitive data is exposed to an attacker
• Confidential data in clear text within the database
• HTTPS not used
WAFs can:
• Detect common data types (ex: credit card numbers)
• Block server responses containing these values
http://bigbank.com/accountsInfo
Copyright© 2016 Albero Solutions Inc. All rights reserved.47
A6 - Sensitive Data Exposure
But WAFs don't know:
• If DBAs have access to unencrypted data
• If HTTPS should be used
• If a given document is confidential
• If cryptographic algorithms are strong enough
• If private keys are stored properly
Only humans can assess sensitive data exposure…
Copyright© 2016 Albero Solutions Inc. All rights reserved.48
A7 - Missing Function Level Access Control
When low privilege users can access restricted functions
• Create users
• Assign privileges
• Delete information
• Approve requests
www.company.com/createUser
A7 - Missing Function Level Access Control
WAFs are good at preventing automated tools from discovering the vulnerabilities
• Detect crawlers/spiders
• Prevent enumeration of files and directories
www.company.com/admin/
www.company.com/config/
www.company.com/script/
www.company.com/images/
...
Copyright© 2016 Albero Solutions Inc. All rights reserved.51
A7 - Missing Function Level Access Control
However, WAFs are weak at
1. Detecting manual discovery
2. Preventing their exploitation
Some commercial WAFs ensure that files and functions are accessed in the correct order
–But this can easily be bypass...
Copyright© 2016 Albero Solutions Inc. All rights reserved.52
A8 - Cross-Site Request Forgery (CSRF)
CSRF attacks force a logged-in victim’s browser to send a forged HTTP request
All WAFs are very effective against CSRF attacks:
• Automatically add synchronized tokens
CSRFTOKEN=54AC455F45EE54638BCE8EE6A
Copyright© 2016 Albero Solutions Inc. All rights reserved.53
A9 - Using Known Vulnerable Components
• When applications use components with known vulnerabilities
• Hackers are motivated at finding them!
Copyright© 2016 Albero Solutions Inc. All rights reserved.55
A9 - Using Known Vulnerable Components
• WAFs offer:
–Attack signatures against specific vulnerabilities
–Set of pre-define policies
• Automated attacks are blocked by WAFs
–Represents only a small class of vulnerable components...
• WAFs are not aware of vulnerable libraries used internally by web applications
Copyright© 2016 Albero Solutions Inc. All rights reserved.56
A10 - Unvalidated Redirects and Forwards
When web applications use untrusted data to forward users to other websites
Frequently exploited through:
• XSS
• Phishing attack
www.company.com/redirect=changePass.net
Copyright© 2016 Albero Solutions Inc. All rights reserved.57
What? FISHING attack?
A10 - Unvalidated Redirects and Forwards
Open Source WAFs can:
• Detect when the HTTP request contains the redirected URL
Commercial WAFs can also:
• Block redirects to known malicious web sites
–Vendor's reputation service
• Generate rules based on known good traffic
Copyright© 2016 Albero Solutions Inc. All rights reserved.59
WAFs vs OWASP Top 10
A1 - Injection Attacks
A2 - Broken Authentication Session Management
A3 - Cross-Site Scripting (XSS)
A4 - Insecure Direct Object References
A5 - Security Misconfiguration
A6 - Sensitive Data Exposure
A7 - Missing Function Level Access Control
A8 - Cross-Site Request Forgery (CSRF)
A9 - Using Known Vulnerable Components
A10 - Unvalidated Redirects and Forwards
Open Source WAFs
Commercial WAFs
Copyright© 2016 Albero Solutions Inc. All rights reserved.60
WAF - Conclusion
WAFs are an essential component of any secure web application deployment
–Commercial WAFs are better than open source ones
–However, open source WAFs are very good against some types of attacks
Copyright© 2016 Albero Solutions Inc. All rights reserved.62
WAF - Conclusion
• WAFs are not a replacement for secure web development
• Perform Vulnerability Assessments and Penetration Tests before going to production
Copyright© 2016 Albero Solutions Inc. All rights reserved.63
top related