qg was guide

7
Table of Contents I. Summary II. Overview of Web Application Scanning III. Types of Web Application Vulnerabilities IV. Detecting Web Application Vulnerabilities V. Introducing QualysGuard ® WAS 2.0 VI. Protect Your Web Applications VII. About Qualys 2 2 3 4 5 7 7 GUIDE WEB APPLICATION SECURITY How to Minimize the Risk of Attacks

Upload: nat-page

Post on 18-Nov-2014

393 views

Category:

Technology


5 download

DESCRIPTION

Web Application Security Guide Qualys 2011

TRANSCRIPT

Page 1: Qg was guide

Table of Contents

I. Summary

II. Overview of Web Application Scanning III. Types of Web Application Vulnerabilities

IV. Detecting Web Application Vulnerabilities

V. Introducing QualysGuard® WAS 2.0 VI. Protect Your Web Applications

VII. About Qualys

2

2

3

4

5

7

7

G U I D E

WEB APPLICATION SECURITYHow to Minimize the Risk of Attacks

Page 2: Qg was guide

page 2Guide: Web Application Security; How to Minimize the Risk of Attacks

Summary Vulnerabilities in web applications are now the largest source of enterprise security attacks. Web application vulnerabilities

accounted for over 55% of all vulnerabilities disclosed in 2010, according to an IBM X-Force study. That may be the tip

of the iceberg as the study includes only commercial web applications.1 Stories about compromised sensitive data

frequently mention culprits such as “cross-site scripting,” “SQL injection,” and “buffer overflow.” Vulnerabilities like these

often fall outside the traditional expertise of network security managers. The relative obscurity of web application vulner-

abilities thus makes them useful for attacks. As many organizations have discovered, these attacks will evade traditional

enterprise network defenses unless you take new precautions.

To help you understand how to minimize these risks, Qualys provides this guide as a primer to web application security.

The guide surveys typical web application vulnerabilities, compares options for detection, and introduces the

QualysGuard Web Application Scanning solution – an on demand service from Qualys that automates detection of the

most prevalent vulnerabilities in custom web applications.

Overview of Web Application Security Attacks on vulnerabilities in web applications began appearing almost from the beginning of the World Wide Web, in the

mid-1990s. Attacks are usually based on fault injection, which exploits vulnerabilities in a web application’s syntax and

semantics. Using a standard browser and basic knowledge of HTTP and HTML, an attacker attempts a particular exploit

by automatically varying a Uniform Resource Indicator (URI) link, which in turn could trigger an exploit such as SQL

injection or cross-site scripting.

A significant number of attacks exploit vulnerabilities in syntax and semantics. You can discover many of these

vulnerabilities with an automated scanning tool. Logical vulnerabilities are very difficult to test with a scanning tool; these

require manual inspection of web application source code analysis and security testing. Web application security vulner-

abilities can stem from misconfigurations, bad architecture, or poor programming practices within commercial or custom

application code. Vulnerabilities may be in code libraries and design patterns of popular programming languages such as

Java, .NET, PHP, Python, Perl, and Ruby. These vulnerabilities can be complex and may occur under many different

circumstances. Using a web application firewall might control effects of some exploits but will not resolve the underlying

vulnerabilities.

1 IBM ISS X-Force 2010 Mid-yearTrend & Risk Report

http://example/foo.cgi?a=1

http://example/foo.cgi?a=1’ Example of SQL Injection

http://example/foo.cgi?a=<script>… Example of Cross-site Scripting (XSS)

Some attacks attempt to alter logical workflow. Attackers also execute these by automatically varying a URI.

http://example/foo.cgi?admin=false

http://example/foo.cgi?admin=true Example of increasing privileges

Page 3: Qg was guide

page 3Guide: Web Application Security; How to Minimize the Risk of Attacks

Types of Web Application Vulnerabilities Web applications may have any of two dozen types of vulnerabilities. Security

consultants who do penetration testing may focus on finding top vulnerabilities,

such as those in a list published by the Open Web Application Security Project

(www.owasp.org), the OWASP Top 10. Other efforts to systematically organize

web application vulnerabilities include more than 30 granular threat classifications

published by the Web Application Security Consortium (www.webappsec.org).

The following descriptions of web vulnerabilities are modeled on a WASC schema.

Authentication – stealing user account identities

n Brute Force attack automates a process of trial and error to guess a person’s username, password, credit-card number or cryptographic key.

n Insufficient Authentication permits an attacker to access sensitive content or functionality without proper authentication.

n Weak Password Recovery Validation permits an attacker to illegally obtain, change or recover another user’s password.

Authorization – illegal access to applications

n Credential / Session Prediction is a method of hijacking or impersonating a user.

n Insufficient Authorization permits access to sensitive content or functionality that should require more access control restrictions.

n Insufficient Session Expiration permits an attacker to reuse old session credentials or session IDs for authorization.

n Session Fixation attacks force a user’s session ID to an explicit value.

Client-side Attacks – illegal execution of foreign code

n Content Spoofing tricks a user into believing that certain content appearing on a web site is legitimate and not from an external source.

n Cross-site Scripting (XSS) forces a web site to echo attacker-supplied executable code, which loads into a user’s browser.

Command Execution – hijacks control of web application

n Buffer Overflow attacks alter the flow of an application by overwriting parts of memory.

n Format String Attack alters the flow of an application by using string formatting library features to access other memory space.

n LDAP Injection attacks exploit web sites by constructing LDAP statements from user-supplied input.

n OS Commanding executes operating system commands on a web site by manipulating application input.

The number of new vulnerability

disclosures in the first half of

the year is at the highest level

ever recorded. This is in stark

contrast to the 2009 mid-year

report when new vulnerability

disclosures were at the lowest

level in the previous four years.

Web application vulnerabilities—

particularly cross-site scripting

and SQL injection—continue to

dominate the threat landscape. IBM X-Force® 2010 Mid-year Trend & Risk Report

Page 4: Qg was guide

page 4Guide: Web Application Security; How to Minimize the Risk of Attacks

n SQL Injection constructs illegal SQL statements on a web site application from user-supplied input.

n SSI Injection (also called Server-side Include) sends code into a web application, which is later executed locally by the web server.

n XPath Injection constructs XPath queries from user-supplied input.

Information Disclosure – shows sensitive data to attackers

n Directory Indexing is an automatic directory listing / indexing web server function that shows all files in a requested directory if the normal base file is not present.

n Information Leakage occurs when a web site reveals sensitive data such as developer comments or error messages, which may aid an attacker in exploiting the system.

n Path Traversal forces access to files, directories and commands that potentially reside outside the web document root directory.

n Predictable Resource Location uncovers hidden web site content and functionality.

Logical Attacks – interfere with application usage

n Abuse of Functionality uses a web site’s own features and functionality to consume, defraud, or circumvent access control mechanisms.

n Denial of Service (DoS) attacks prevent a web site from serving normal user activity.

n Insufficient Anti-automation is when a web site permits an attacker to automate a process that should only be performed manually.

n Insufficient Process Validation permits an attacker to bypass or circumvent the intended flow of an application.

Detecting Web Application Vulnerabilities There is no “silver bullet” to detecting web application vulnerabilities. The

strategy for their detection is identical to the multi-layer approach used for

security on a network. Detection and remediation of some vulnerabilities

requires source code analysis, particularly for complex enterprise-scale web

applications. Detection of other vulnerabilities may also require on-site

penetration testing. As mentioned earlier, the most prevalent web application

vulnerabilities can also be detected with an automated scanner. An automated

web application vulnerability scanner both supplements and complements

manual forms of testing. It provides four key benefits:

n Lower total cost of operations by automating repeatable testing processes

Enterprise-class web applica-

tion scanning solutions are

broader, and should include a

wide range of tests for major

web application vulnerability

classes, such as SQL injection,

cross-site scripting, and directory

traversals. The OWASP Top 10

is a good starting list of major

vulnerabil¬ities, but an enter-

prise class solution shouldn’t

limit itself to just one list or

category of vulnerabilities. An

enteprise solution should also

be capable of scanning multiple

applications, tracking results

over time, providing robust

reporting (especially compli-

ance reports), and providing

reports customized for local

requirements. Securosis.com Building a Web Application Security Program Whitepaper

Page 5: Qg was guide

Guide: Web Application Security; How to Minimize the Risk of Attacks page 5

n Close security loopholes by discovering and identifying rogue web applications

n Understand the security risks for your most public and accessible IT assets

n Drive secured coding practices for custom application development

A scanner does not have access to a web application’s source code, so the only way it can detect vulnerabilities is by

performing likely attacks on the target application. Time required for scanning varies, but doing a broad simulated attack

on an application takes significantly longer than doing a network vulnerability scan against a single IP. A major requirement

for a web application vulnerability scanner is comprehensive coverage of the target application’s functionality. Incomplete

coverage will cause the scanner to overlook existing vulnerabilities.

Introducing QualysGuard® WAS 2.0 The QualysGuard Web Application Scanning (WAS) solution is an on demand service integrated into the QualysGuard

security and compliance Security-as-a-Service (SaaS) suite. Use of the QualysGuard WAS presumes no specialized

knowledge of web security. The service allows a network security or IT administrator to execute comprehensive, accurate

vulnerability scans on custom web applications such as shopping carts, forms, login pages, and other types of dynamic

content. The broad scope of coverage focuses tests on Web application security.

Figure 1: The QualysGuard WAS 2.0 Dashboard Figure 2: Scan Management view within QualysGuard WAS 2.0

Page 6: Qg was guide

Guide: Web Application Security; How to Minimize the Risk of Attacks page 6

Key Benefits QualysGuard WAS helps organizations catalog web applications within their enterprise and get an inventory of their

applications – no matter where they reside. Then, QualysGuard WAS automates repeatable techniques used to identify

the most prevalent web vulnerabilities, such as SQL injection and cross-site scripting in web applications. It combines

pattern recognition and observed behaviors to accurately identify and verify vulnerabilities. The QualysGuard WAS

service identifies and profiles login forms, session state, error pages, and other customized features of the target

application – even if it extends across multiple web sites. This site profile data helps QualysGuard WAS to adapt to

changes as the web application matures. Adaptability enables the scanner to be used against unknown or legacy web

applications that may carry little information about error pages or other behavior. As a result, QualysGuard WAS

delivers accurate detection and reduces false positives. The automated nature of QualysGuard WAS enables regular

testing that produces consistent results and easily scales for large numbers of web sites.

Feature Highlights QualysGuard WAS offers comprehensive capabilities to

assess, track, and report web application vulnerabilities.

Key features include:

n Crawling & Link Discovery – Embedded browser crawls

complex sites. Reaches wide coverage of the site’s

functionality by sampling redundant and related links.

n Authentication – Automatically finds and authenticates to

login forms. Maintains an authenticated session. Support

for server-based authentication (Basic, Digest, NTLM)

including SSL client certificates.

n Exclusion Lists – Use blacklists and whitelists to guarantee

coverage and prevent the crawler from hitting certain links

or areas of the site.

n Performance – User-determined bandwidth level for parallel

scanning to control impact on application performance.

Smart vulnerability checks skip unnecessary tests.

n Sensitive Content – Search for privacy- or security-related

content within the site’s HTML.

n Accurate Vulnerability Tests – Minimizes false positives by

profiling the target’s behavior. Uses multiple steps to verify

discoveries.

n Site Discovery & Management – Discover web servers

across a network. Manage scores of web applications from

a unified interface.

Figure 3: Scan Summary results within QualysGuard WAS 2.0

Figure 4: QualysGuard WAS 2.0 – Detailed Scan Results

Page 7: Qg was guide

Guide: Web Application Security; How to Minimize the Risk of Attacks page 7

Operations QualysGuard WAS 2.0 is delivered as an on demand service fully integrated with the QualysGuard IT security and

compliance suite of solutions. QualysGuard is already in use by thousands of customers for vulnerability management

and policy compliance. Users can manage web applications, launch scans, and generate reports from an integrated

security platform with unified web interface. QualysGuard WAS scans may be pre-scheduled or executed on demand.

The QualysGuard WAS service can be scaled to the largest web applications hosted anywhere in the world. Account

rights management allows an organization to centrally control which web applications may be scanned by individual users.

Protect Your Web Applications The QualysGuard Web Application Scanning service will help your organization immediately begin identifying the most

prevalent security vulnerabilities open to criminal exploit. The scanner will be a powerful supplement to existing security

efforts such as source code analysis and penetration testing. The latter controls are necessary, but QualysGuard WAS

will automate detection testing for the majority of threats – the kinds you read about when data thieves breach confidential

information via web applications. In addition to comprehensive testing and accurate detection, QualysGuard WAS is a

cost effective and easy-to-use on demand service allowing administrator to execute scans without any special knowledge

of web application security.

If you would like a free trial of the QualysGuard WAS, please visit our website and sign-up: www.qualys.com.

About Qualys

Qualys, Inc. is the leading provider of on demand IT security risk and compliance management solutions – delivered as a

service. Qualys’ Software-as-a-Service solutions are deployed in a matter of hours anywhere in the world, providing

customers an immediate and continuous view of their security and compliance postures.

The QualysGuard® service is used today by more than 5,000 organizations in 85 countries, including 47 of the Fortune

Global 100, and performs more than 500 million IP audits per year. Qualys has the largest vulnerability management

deployment in the world at a Fortune Global 50 company, and has been recognized by leading industry analysts for its

market leadership.

Qualys has established strategic agreements with leading managed service providers and consulting organizations

including BT, Etisalat, Fujitsu, IBM, I(TS)2, LAC, NTT, SecureWorks, Symantec, Tata Communications and TELUS. Qualys

is also a founding member of the Cloud Security Alliance (CSA).

For more information, please visit www.qualys.com.

© Qualys, the Qualys logo and QualysGuard are registered trademarks of Qualys, Inc. All other trademarks are the property of their respective owners. 02/11

www.qualys.com

USA – Qualys, Inc. • 1600 Bridge Parkway, Redwood Shores, CA 94065 • T: 1 (650) 801 6100 • [email protected] – Qualys, Ltd. • Beechwood House, 10 Windsor Road , Slough, Berkshire, SL1 2EJ • T: +44 (0) 1753 872100Germany – Qualys GmbH • München Airport, Terminalstrasse Mitte 18, 85356 München • T: +49 (0) 89 97007 146France – Qualys Technologies • Maison de la Défense, 7 Place de la Défense, 92400 Courbevoie • T: +33 (0) 1 41 97 35 70Japan – Qualys Japan K.K. • Pacific Century Place 8F, 1-11-1 Marunouchi, Chiyoda-ku, 100-6208 Tokyo • T: +81 3 6860 8296 United Arab Emirates – Qualys FZE • P.O Box 10559, Ras Al Khaimah, United Arab Emirates • T: +971 7 204 1225 China – Qualys Hong Kong Ltd. • Suite 1901, Tower B, TYG Center, C2 North Rd, East Third Ring Rd, Chaoyang District, Beijing • T: +86 10 84417495