Johanne Ulloa

What are the exploited vulnerabilities ?

3 types of vulnerabilities have been exploited:

• related to technical failures (SQL injection, Cross Site Scripting)
• related to organizational failures (can access the pages administration of web sites)
• related to lapses in application logic.

How to protect against these vulnerabilities?

In the first case (SQL Injection, Cross Site Scripting ….). Because these attacks rely on computer languages (SQL, JavaScript), they are quite easily recognizable and can be blocked through a Web application firewall (WAF). It is recommended to use a WAF is capable of having a balanced approach (as the Deny ALL’s Scoring List) to recognize these attacks. Indeed, the WAF using simple “black list” are not sufficiently effective against these attacks or, too often block legitimate traffic (which is unacceptable).
In the second case, it was possible to access the administration interface, because it was not sufficiently secure. Again, a WAF would have been very useful because it can increase the level of authentication. For example, it is possible to ensure that administrators can access the administration interface after a strong authentication (Client certificate, RSA SecureID, Vasco, Active Card …) which can be protected from attacks that are to guess a password.
In the third case, the vulnerabilities exploited were related to problems of logic. Here, the traditional defense mechanisms are often ineffective. Indeed, exploitation of the vulnerability is not going through a vector of attack as a code injection (which is identifiable), but for example by modifying of a parameter in a URL. It is possible to limit their risks through the positive security model of WAF (White List: whatever is not expressly provided will be rejected).

The article reports the response time of various entities. How to react quickly when a vulnerability has been detected?

Some WAF can implement a virtual patch without having to modify the web application. This helps to address immediately the vulnerability that was detected, allowing time for development teams to correct the problem in depth and leaving the site online.

Moral of the story?

In the best of worlds, these vulnerabilities could not be exploited because the safety aspects were taken into account significantly from the design of  Web and application throughout its life cycle (development, operations). But It is difficult to support these aspects of security during the developement. We asked developers to focus their efforts on the functionality and not security. Moreover, it is very often to do not have any  control over the development of the web application. For these reasons and because the Web attacks are very attractive for hackers (simplicity of implementation and ROI very high), a WAF is now an essential key for Web infrastructures.