Agenda 網 站 安 全 威 脅 及 保 護 應 用 介 紹 2009/3/24. 林 立 棕, David Lin. Security for HTML Applications. Demo - HTML Application Attacks

Transcription

1 網 站 安 全 威 脅 及 保 護 應 用 介 紹 林 立 棕, David Lin Agenda Security for HTML Applications Demo - HTML Application Attacks Security for XML Applications Citrix Application Firewall 2 1

2 The Application-layer Threat DATA Financial Records Credit Card #s Social Security #s Customer Records Web App Users Internet Network Firewalls Web Apps Employee Data Healthcare Records Web threat is growing 90% increase in reported web attacks last year 82% of web vulnerabilities ranked easy to exploit Regulatory compliance drives increasingly data security 3 Web Attacks Reported Major Web sites hit with growing Web attack Washington Post A blossoming Web attack has expanded to hit over a million Web pages, including many wellknown sites USAToday.com, Target.com & Walmart.com have been hit. PC World, Saturday, March 29, 2008; 12:19 AM Hack into Obama campaign site exploited a coding flaw Associated Press, April 23,

3 The Web Application Threat Most targeted hacker activity today, however, focuses on customized web apps which are extremely hard to write securely Traditional methods do nothing to stop these attacks since you cannot write patches or signatures for customized code These threats are far more dangerous because they give untraceable access to data (financial, identity, credit cards, etc) 75% of targeted attacks now target web applications Customized Web Applications Customized Packaged Apps Internally Developed Web Applications DATA Worms Viruses Network Attacks Network Firewalls IPS and Anti Virus Web Servers OS App Servers Packaged Apps OS Network Database Servers OS 5 Traditional Network Security Traditional network security is focused on stopping automated attacks such as worms and viruses at the network perimeter The goal of these attacks is to disrupt by exploiting known vulnerabilities in known systems Traditional security products stop these attacks by creating new signatures each time a new hole is discovered Network Firewal ls IPS and Anti Viru us!! Worms Viruses Network Attacks Web Servers OS Application Servers and Packaged Apps OS Network Database Servers OS 3

4 Fixing the Code For Every Application Change Every 1000 lines of code averages 15 critical security defects US Department of Defense The average security defect takes 75 minutes to diagnose and 6 hours fix 3 year Pentagon study The average business application has 150,000 to 250,000 lines of code Software Magazine Develop Deliver Secure Develop Secure Deliver Just To Resolve Security Defects: 15*1.25hrs*150k/40 = 70 weeks 15*6hrs*250k/40 = 560 weeks Publication Dilemma: Logic Complete or Application Secure? 7 Constant Re-engineering Not Viable You may not be able to fix some code You do not own some of the code you run Legacy applications have been webified Application security skills vary across developers Skill sets, personnel allocation, human error Fixing the Code addresses issues in current snapshot of application Application change can introduce new security defects It only takes one It only takes one security defect 8 4

5 NetScaler Application Firewall Application Attacks Blocked Legitimate traffic allowed through Web App Users Internet Network Firewalls Citrix NetScaler Application Infrastructure No attack signature databases to maintain Protects application and application logic Real-time protection for known and unknown attacks 9 Vulnerable Websites Copyright WASC, White Hat Security 10 5

6 Cross-site Scripting (XSS) Attacks Attacking trust relationships 3 Script captures credential info and sends to hacker 1 Hacker posts <malicious script> to vulnerable Web application 2 Innocent user downloads script and executes Cross-Site Scripting: Inserting a malicious script that compromises the trust relationship between a user and a Web application, resulting in sending an attacker confidential information that can be used to steal that user s identity. 11 SQL Injection Attacks Accessing databases via Web applications SQL Injection Attack ks' or 1=1 SQL Injection Attacks: Sending SQL commands to a Web application that when passed to databases execute and allow hacker to gain access or change customer and sensitive information. 12 6

7 HTML Form Field Protection Protect applications by blocking malicious and illegal input parameters Application sends form to client Client completes and returns form For each user session AppFw ensures that: 1. Each field is returned 2. No fields were added by client 3. Read-only and hidden fields are unaltered 4. Data in drop-down list or radio button field conforms 5. Max length of form fields is adhered to 13 Cookie Poisoning Defenses Prevent identity theft and session hijacking Web server sends client cookie Client returns cookie to server Application Firewall verifies that cookies have not been modified by client 14 7

8 Forceful Browsing Brute-force penetration of the infrastructure Paris Hilton's Sidekick hacked I got hacked hacker Nicolas Jacobsen pled guilty to a single charge of intentionally accessing a protected computer and recklessly causing damage. Jacobsen was arrested by US authorities last October, but had had access to T-Mobile Mobile's servers for more than a year. He reportedly amused himself by accessing US Secret Service , and raiding other Sidekick users' accounts. The Register, Feb 21, 2005 Forceful Browsing Attack Manipulating request URLs to gain access to content you are not entitled to see. 15 Business Object Protection Modules Prevent the inadvertent disclosure of customer or corporate data Server: Msg 547, Level 16, State 1, Procedure error_demo_sp, Line 2 UPDATE statement conflicted with COLUMN FOREIGN KEY constraint 'fk7_acc_cur'. The conflict occurred in database 'bos_sommar', table 'currencies', column 'curcode'. The statement has been terminated. Mastercard Mastercard VISA VISA Financial Theft Prevention Credit Card Numbers Configurable Protections Customer-defined Data Objects 16 8

9 Data Flow Process NetScaler EXTERNAL 1. Client Request Start URLs XSS SQL Injection Field Consistency Buffer Overflow 2. Request Inspections 3. Client Request INTERNAL Database 6. Server Response 5. Response Inspections 4. Server Response Web Applications Credit Cards SAFE Object 17 Demo - Prevent Web Application Attacks with Application Firewall 9

10 Application Attack Demonstration These Attacks Are Illegal To avoid going to jail never run these attacks: Against any web site without written permission by a corporate officer Across a corporate network Across a public network 19 Security for XML Applications 10

11 Applications Are Evolving Web SOA Architecture Monolithic/Silo-ed (Web 1.0) Limited data sharing between applications Static web pages Internet enabled Challenges with Scalability, Security, Visibility, Control Collaborative (Web 2.0 and SOA) Distributed, componentized with app-toapp communication and data sharing Rich Interactive UI (AJAX, AIR, Silverlight, JS) Web Services or XML interface Significantly greater challenges with Scalability, Security, Visibility and Control 21 A Look At New Applications RSS Well architected / Controlled Middleware & Service Oriented Developer-led, Uncontrolled Web Oriented (RESTstyle) All of these applications are being utilized simultaneously and are built on XML! 22 11

12 Web Services Explained in 60 Seconds! Repai r Statu s Acco unt Info Telco Credit Card Tx XML Web Services Identity Directory Web service = Open API Protocol to communicate = XML (SOAP) over HTTP (inside XML, itself inside HTTP/S) Protocol to describe app calls/params = WSDL 23 XML 101 HTML = a set of tags to format data (eg: bold <b>, tables <td><tr>, colors <font>, etc.) entirely focused on formatting rather than data XML = focuses on content rather than format. XML does not have any predefined d tags. No such thing as <b>, <h1> etc. HTML <pre> <h1>customer</h1> <h2>title</h2>mr. <h2>name</h2> John Doe <h2>address</h2> 123 ABC Street Anytown Ca XML <customer> <name> <title>mr.</title> <first-name>john</first-name> <last-name>doe</last-name> </name> <street>123 ABC Street</street> <city>anytown</city> <state>ca</state> <zipcode>95134</zipcode> </customer> 24 12

13 XML Security Integrated Into Application Firewall XML Security Module integrated into Application Firewall New profile types for XML and Web XML Security Checks XML Security Threat Protection Content Validation Data Leak Prevention Reporting and Monitoring Secures all flavors of XML Applications (not just SOAP) Security for XML, HTML and Web 2.0 applications Block, Log and Statistics can be enabled for all checks

14 Successful Web Application Delivery B2 C B2B P2P Availabili ty World-class L4-L7 load balancing Intelligent service health monitoring Performa nce Caching Compression Offload Connection pooling SSL processing Security Access Gateway SSL VPN Application firewall 27 Maximizes Application Availability Site A B2 C B2B Site B P2P 28 14

15 Reduce Servers by 60% Before NetScaler After NetScaler Fewer Servers. More Apps. 29 Customer Server Offload Attained Other Benefits dremate 50% Improved response time by 110% 40% savings on mgmt. costs LiveNation 50% Capacity to support 100X traffic spikes SINA 66% Significant decreases in application latency and mgmt. costs Transport for London 95% 10X improvement in application performance 60% reduction in application latency Userplane 87% Estimated $390K savings in capital investment 30 15

16 AppExpert Service Callouts Integrates external app logic in realtime Reputation Makes the network Identity more responsive to Management change Reduces frequency of NetScaler change mngt. Enables admins to treat invoked logic Invoke as "black external box" functionality from within NetScaler Policies Formatting/ Transformation 31 Extensible and Easy to Deploy High Performance 15 Gbps Single pass packet processing Feature concurrency and scalability Extensible Highly customizable Easily add new modules via software Rapid innovation Manageable Unified management interface Visual policy engine Rich reporting tools Unified Management and Reporting AppExpert Visual Policy Builder Administrat ion NetScaler Functional Modules High Performance Packet Processing and Policy Evaluation Engine Application Networking Platform 32 16

17 Simplify Web Application Delivery Eliminate application downtime Increase performance by 5x Block 100% of web attacks Improve web server utilization by 60% Address Web 2.0 and other emerging challenges 33 Q & A 17