Johanne Ulloa

What are the exploited vulnerabilities ?

3 types of vulnerabilities have been exploited:

• related to technical failures (SQL injection, Cross Site Scripting)
• related to organizational failures (can access the pages administration of web sites)
• related to lapses in application logic.

How to protect against these vulnerabilities?

In the first case (SQL Injection, Cross Site Scripting ….). Because these attacks rely on computer languages (SQL, JavaScript), they are quite easily recognizable and can be blocked through a Web application firewall (WAF). It is recommended to use a WAF is capable of having a balanced approach (as the Deny ALL’s Scoring List) to recognize these attacks. Indeed, the WAF using simple “black list” are not sufficiently effective against these attacks or, too often block legitimate traffic (which is unacceptable).
In the second case, it was possible to access the administration interface, because it was not sufficiently secure. Again, a WAF would have been very useful because it can increase the level of authentication. For example, it is possible to ensure that administrators can access the administration interface after a strong authentication (Client certificate, RSA SecureID, Vasco, Active Card …) which can be protected from attacks that are to guess a password.
In the third case, the vulnerabilities exploited were related to problems of logic. Here, the traditional defense mechanisms are often ineffective. Indeed, exploitation of the vulnerability is not going through a vector of attack as a code injection (which is identifiable), but for example by modifying of a parameter in a URL. It is possible to limit their risks through the positive security model of WAF (White List: whatever is not expressly provided will be rejected).

The article reports the response time of various entities. How to react quickly when a vulnerability has been detected?

Some WAF can implement a virtual patch without having to modify the web application. This helps to address immediately the vulnerability that was detected, allowing time for development teams to correct the problem in depth and leaving the site online.

Moral of the story?

In the best of worlds, these vulnerabilities could not be exploited because the safety aspects were taken into account significantly from the design of  Web and application throughout its life cycle (development, operations). But It is difficult to support these aspects of security during the developement. We asked developers to focus their efforts on the functionality and not security. Moreover, it is very often to do not have any  control over the development of the web application. For these reasons and because the Web attacks are very attractive for hackers (simplicity of implementation and ROI very high), a WAF is now an essential key for Web infrastructures.

What is a WAF ?

A WAF (Web application Firewall) is software or an application placed between the network firewall and the Web server. Its main goal is to protect against attacks such as SQL Injection, Cross Site Scripting, Code injection, Remote File Inclusion …

I already have a network firewall. Do I need a WAF ?

The network firewall is in charge of the source and the destination (Ip and port). The WAF is in charge of the content. We can compare this with a border checkpoint. First your passport will be checked (This step can be compared with the network firewall’s functionality ) then you’ll be searched (This step can be compared with the WAF’s functionality). Both actions are complementary and mandatory.

Why a WAF is now mandatory in a Web infrastructure ?

According to a Gartern’s study 75% of attacks target the application layer 2/3 of Web applications are vulnerable. Web applications have a natural sensitivity to attacks. Attacks are very easy to perform compared to network attacks and the ROI is very high for hackers. For these reasons Web attacks are very attractive for hackers. So, it is very important to put in place a WAF that will protect against Web attacks.

Easy to attack and high ROI for hackers

Web attacks, What are the targets and what are the impacts ?

• The user: Web attacks target the user in most cases to steal the user’s session cookie. As soon as a hacker gets the session cookie, the attacker will be able to perform any action on the Web Application that the user could do.
• The WEB Server: the most frequent impacts are:
  • Content modification. The impacts of modification of a site are variable depending on the sensitivity of the image of the company;
  • Adding files illicite files (pornographic content, malware …). Or adding files to conduct a phising attack;
    
  • Access to documents that are not normally accessible via the Web server;
  • Remote control of the Web server (command injection);
  • Denial of service: For example, recently with a small perl script (Slowloris) a hacker could perform an HTTP DOS.
• The application. In this case, the goal is that the Web application behaves differently than expected. For example: change the price of a product.
• The Database: These are the privileged targets for hackers. The Web server is used as a tool to access data. The impacts range from theft, deletion or alteration of data. Unfortunately many data thefts go completely unnoticed because they remain active on the server after the “intrusion“.
• Les Web Services: They are not immune from attacks. Increasingly deployed, their strong interaction with databases make them a prime target.

What other aspects of security that can be handled by the Web application firewall?

The firewall application is upstream of the Web applications it protects. It is therefore natural to ask it to perform authentication. This is particularly useful when you want to make the Web application securely available on the Internet. The Web application firewall can also virtualize the Web infrastructure. (It has the ability to use different Web server names from those used internally). In addition, a web application firewall easily makes available internal web applications on the internet. (there is no need to move the web server to a specific network zone). The WAF can also be used to provide evidence of intrusion attempts. In fact, all requests are logged (Web servers do not record all the elements, including headers and posted data).

The security of the Web application is taken into account during development, I still need a WAF?

To provide security throughout the lifecycle of the application total control is essential throughout development. Safety aspects must be taken into account from the design phase, throughout the development and operation. Often there is an insufficient level of control at these different stages to obtain the necessary level of security. These methods must therefore be complemented by the implementation of a Web application firewall to reduce the scope of vulnerability. In addition, the WAF is a remedy against attacks that target the web server itself (Vulnerabilities IIS, apache … as directory traversal, denial of services: for example Slowloris). Web Application Firewall and methods to consider the application security during the phases of development are complementary.

Does the Web Application firewall do other things apart from those related to security?

Yes, the firewall application helps accelerate web traffic especially when Web servers become overloaded. Indeed, much of the work that was done by the Web server (serve static pages, implementation of the encryption) is supported by the firewall application. The main advantage is to enable the web server to have more resources to handle dynamic pages. The Web application firewall is also able to distribute the load on several web servers and ensure high availability of these servers. The benefit is not having to implement complex high-availability and to dispense with a loadbalancer downstream.

Do not confuse  WAF (WEB Application Firewall) and WAF (Women Acceptance factor)

Does WEB Application firewalls have a good Women acceptance factor ?

Refered to this link, WAF is also “We Are the Future” !

What is an XSS / CSRF attacks ?

This kind of attacks targets the user. The goal is to force the user’s browser to send some requests to the web server exactly as the user would did it.   

How this attack is performed ?

XSS / CSRF attacks are generally performed in 4 phases:

Phase 1 : Injection phase

During this phase the hacker inject the html or css or javascript on the vulnerable web site.

Phase 2 : Code obtention phase

The user download a javascript file which is hosted on another web site (this phase is not mandatory, but more comfortable for the hacker, else he will have to send the entire payload during the phase)

Phase 3 and 4:  Code execution

During these phases, the browser execute the Code. Usually, the first step consists to retrieve the session cookie, then the second, to  send a forged request to the web site. The request will be granted by the Web server because of the session cookie

How to mitigate this kind of attacks ?

It is possible on the server side and/or on the client side.

On the server side :

• Take in consideration the security during the development.  Basically, controlling all user input is a good idea.
• To prevent sessions cookie to be accessible from JavaScript, you can use the HTTPOnly flag
• Use a Web Application Firewall to prevent code injection.

On the client side :

• I strongly recommend to use NoScript on firefox. This addon allow to execute Javascript only when you need it.

This article is not available in english

See this article in french