A Practical Guide to Web Application Security

Transcription

1 Mitigating the OWASP Ten Most Critical Web Application Security Problems with s In This Document Introduction 2 The Top 10 Web Application Vulnerabilities and Their Remedies 1: Unvalidated Input 3 2: Broken Access Control 4 3: Broken Account and Session Management 5 4: Cross-site scripting (XSS) Flaws 5 5: Buffer Overflows 6 6: Injection Flaws 6 7: Improper Error Handling 7 8: Insecure Storage 8 9: Denial of Service 9 10: Insecure Configuration Management Check Point Software Technologies Ltd. 1

2 Introduction IT security managers face constantly changing and increasingly more sophisticated challenges. For instance, at one time their concern over Internet security was focused primarily on perimeter network security. But Internet security has long since grown beyond the network perimeter. Fundamental Internet services ( , FTP, HTTP, and Telnet) have been eclipsed by a plethora of dynamic Web applications, servers, and databases that are available 24x7. These represent the infrastructure of the digital economy, making them a very attractive target for hackers. Having grown beyond the network layer, Internet security now encompasses distinct requirements for perimeter, internal, and Web application security. As Web applications become increasingly prevalent, so do the security risks and requirements for comprehensive Web security solutions. The Open Web Application Security Project (OWASP), a group dedicated to helping organizations recognize the security challenges intrinsic to Web applications and Web services, has documented these challenges. The OWASP Ten Most Critical Web Application Security Vulnerabilities: 2004 Update lists vulnerabilities of which every network security manager should be aware. (The document is available at documentation/topten.) The OWASP Top Ten identifies vulnerabilities, or security flaws, to which the majority of successful Internet-based attacks can be traced. The list focuses on vulnerabilities at the code level of applications. Usually, mitigation of such a wide range of vulnerabilities would require the deployment of multiple tools and techniques, often based on different technologies. This paper outlines how to approach each of the OWASP Top Ten Web application vulnerabilities using Check Point intelligent solutions for perimeter, internal, and Web security. An important aspect of the Check Point approach is the ability to offer security without losing connectivity, because blocking an essential service to protect against a specific attack is rarely an acceptable solution. The methods described focus primarily on how Check Point SmartDefense centralized point of control against attacks and Web Intelligence a Web application firewall technology can efficiently and powerfully secure Web applications, before an attack can occur. Web Intelligence enables customers to configure, enforce, and update attack protections for Web servers and applications. Web Intelligence protections are designed specifically for Web-based attacks and compliment the network and application level protections offered by SmartDefense. In addition, information and new attack defenses for Web Intelligence are provided online as part of Check Point s SmartDefense Service. Web Intelligence protects against a range of known attacks, from attacks on the Web server itself to attacks on databases used by Web applications. In addition, Web Intelligence incorporates intelligent security technologies that protect against entire categories of emerging or unknown attacks. Web Intelligence features Check Point s Malicious Code Protector, Streaming Technologies, and Application Intelligence technologies Check Point Software Technologies Ltd. 2

3 The Top 10 Web Application Vulnerabilities and Their Remedies Vulnerability 1: Unvalidated Input Web applications use input from HTTP requests to determine how to respond to them. HTTP information can be encoded in many different ways. Far too often, information from Web requests is not validated before being used by a Web application. Attackers can therefore tamper with any part of an HTTP request including, for example, the URL, query string, or headers to try to bypass the Web application s security mechanisms. This vulnerability impacts most Web applications and Web servers. Most Web applications require some form of user input. In addition, most Web applications are built in a multi-tier architecture, which makes it extremely difficult to predict how user input will be used across all tiers. Attackers can exploit these flaws to attack backend components through a Web application. Two basic approaches are used for validating input. Application Intelligence validates compliance to protocol and application settings. Web Intelligence looks for suspicious patterns within the HTTP request and parameters. Both approaches are used to assure proper parameter validation. The specific attack protections include the following: Web Intelligence validates that the HTTP request and response are valid according to the HTTP RFC SQL and Command Injection Attacks are blocked by looking for keywords. Keywords are traced in form fields either in GET or POST request, inside the URL or the HTTP request body. Keyword lists are preconfigured, and users only need to set the security level on HIGH\MEDIUM\LOW. When a higher security level is used, keywords that are less indicative of an attack are also examined. Web URL blocking is performed using kernel-based streaming technology that allows the user to define specific paths should be blocked. It is also possible to name and block specific HTTP methods. HTTP requests that contain ASCII-only characters are limited and therefore the ability to inject malicious code to request headers as well as form fields is blocked. The following diagram shows different configuration examples. Example configuration: SQL Injection protection 2004 Check Point Software Technologies Ltd. 3

4 Vulnerability 2: Broken Access Control Vulnerability occurs when restrictions on what authenticated users are allowed to do are not properly enforced. Attackers can exploit this flaw to access other users accounts, view sensitive files, or use unauthorized functions. Each Web application has an authorization scheme, whether implicit or explicit. While such schemes appear simple to construct, many have a model that can be easily bypassed. Common problems include directory traversal techniques, default file permmisions, and insecure user IDs. Combined with other Web application-based security methods Web Intelligence provides protection against flows that allow authorized users to gain additional unwarranted access rights. Examples can include the following: Directory traversal protection--ensures the URL path and host are normalized in order to prevent the various methods of directory traversal attacks. Decoding--Ensures URLs are canonized and normalized before enforcement for all encoding types. This process prevents HTTP evasion attacks. Enforcing HTTP protocol validity prevents hacking at the protocol level--for example, using the null character within a URL can easily fool an authorization mechanism that is based on URLs The following diagram shows different configuration examples. Directory Traversal Protection 2004 Check Point Software Technologies Ltd. 4

5 Vulnerability 3: Broken Account and Session Management Account credentials and session tokens that are not properly protected are another type of vulnerability specified by OWASP. Attackers who can compromise passwords, keys, session cookies, or other tokens can defeat authentication restrictions and assume other users identities. Authentication is one part of the Web security process, but even solid authentication mechanisms can be undermined by flawed credential management functions. Ensuring consistent and strong authenticaiton security across multiple platforms can be difficult and may not be consistent from Web application to application. There is a need to provide a strong authentication process that is not part of the Web application itself. Managing active sessions requires a strong session identifier that cannot be guessed, hijacked, or captured. Check Point offers several solutions to help a Web application keep user names, passwords, and sessions safe. This solution includes VPN-1 (with integrated FireWall-1 functionality) supports multiple authentication schemes, and password and user-name storage techniques (including LDAP, Windows, Radius, Citrix, SecureId, etc.) that allow for safe encrypted storage of user information. Vulnerability 4: Cross-site Scripting (XSS) Flaws Web applications can be used as a mechanism to transport an attack to an end user s browser. A successful attack can disclose the end user s session token, attack the local machine, or spoof content to fool the user. Developers tend not to be aware of this type of attack and perform no input validation to prevent cross-site scripting. Such vulnerabilities occur when user input is combined in an HTML page sent to another user. By injecting hostile script into the HTML, the attacker can run arbitrary JavaScript code. While browser-scripting language is limited in nature, it does allow full privileges to attack user information. The INSPECT engine, on which SmartDefense and Web Intelligence are based, protects Web applications. If scripting code cannot be injected into the Web application, it cannot harm the end user. This approach is critical because once the code is uploaded to the Web server it is impossible to distinguish from legal scripting code that belongs to the Web application. Web Intelligence gives the administrator three levels of rejecting scripts (High, Medium, Low). The prudent approach is to reject all HTTP requests that contain the < or > characters (Medium Level). However, this approach can block access to pages that contain innocent tags, such as <Title>. An alternative and less strict approach is to reject any occurrence of a request that contains one of the default banned tags (Low Level). At the HIGH security level, the &lt and &gt keywords are also blocked, although they are legal, because some applications commonly misinterpret them. Web Intelligence looks for multiple keywords that can be used for scripting code, both JavaScript commands, events that can trigger scripting engine and HTML attributes and tags Check Point Software Technologies Ltd. 5

6 Vulnerability 5: Buffer Overflows Web application components in some languages that do not properly validate input can be crashed and, in some cases, used to take control of a process. These components can include CGI, libraries, drivers, and Web application server components. Buffer overruns represent one the hardest programming problems to avoid. It also presents a high risk because with some effort arbitrary code can run on the Web application host machine. Unfortunately, such attacks are very common. Some even include automatic propagation mechanisms that allow an attacker to infect whole networks within minutes. Check Point Web Intelligence allows blocking of known and unknown buffer overflows. The revolutionary, patent-pending Malicious Code Protector in Web Intelligence looks for unknown buffer overflows by actually looking for malicious executables embedded in Web traffic. While detecting unknown buffer overflows is difficult, basic steps can be used to make their use much harder for the attacker. In addition to Malicious Code Protector, both Application Intelligence and Web Intelligence can Detect worm encoding variants Detect cross-protocol worms which propagate through different methods, including file sharing over HTTP Be updated for new worm patterns and classes In addition to the Malicious Code Protector capabilities, Web Intelligence implements pre-emptive attack protection against unknown attacks by Limiting the maximum URL and HTTP headers limits, thus minimizing the chance that executable code can be run if an overflow does occur. Disallowing usage of binary characters in requests to make assembly of executable code much harder for the attacker. Blocking binary characters in Web forms extends this protection to Web applications. Blocking binary characters in Web forms. Vulnerability 6: Injection Flaws Web applications commonly call on and pass parameters to the Web server s operating system and other external applications. If an attacker can embed malicious commands in these parameters, the external system may execute those commands on behalf of the Web application. Command injection techniques use Web applications that lack proper input validation to attack N-tier applications. For example, passing user supplied arguments unchecked to the command line interpreter allows the user to run commands of his own choice on the Web server. This is a very powerful attack, which is quite common and quite easy for an attacker to detect and exploit. When susceptible operating system commands are issued in application requests, they are blocked by Web Intelligence. Web Intelligence provides the administrator three options for rejecting command injections Check Point Software Technologies Ltd. 6

7 At the HIGH security level setting, requests are blocked when any type of quotes is used in the request. Quotes are usually used to break out of the scope of string concatenation. The MEDIUM level setting is to reject all HTTP requests that contain operating system commands that are distinctive to command injection or non-distinctive words that are found within quotes. The LOW level setting rejects all HTTP requests that contain distinctive operating system commands. Command injection protection has other useful features. Support for multiple requests in the same connection Support during GET & POST form submission Logging of attack attempts Ability to set different configurations for each Web server Vulnerability 7: Improper Error Handling Error messages generated by Web applications can provide useful information to a hacker. By causing and analyzing error messages from a target, including errors generated by a protective security solution, a hacker gains insightful information on the products and technologies used by the installation. This information helps hackers tailor the exploits and attacks that are effective for that installation. Hackers can deny service, cause security mechanisms to fail, or crash the server. Web security systems are designed to block and prevent a hacker from attacking a Web application. However, how a security solution handles the blocked attack can also indicate to a hacker that a particular defense is deployed and even information on the vendor and version being used. This information can be used to attack the Web security solution itself. Web Intelligence addresses error concealment by ensuring that hackers do not receive useful information on attacks blocked by Web Intelligence. By default, Web Intelligence simply blocks connections when an attack is detected, providing no useful information to the attacker. However, in some cases it is useful to inform the user that there is a security violation. This is useful when users call a help desk when a connection is lost. In this case, Web Intelligence can generate either a custom or generic HTML error page to inform the end user of the security violation along with a random ID. This ID number can be checked against logs to determine the reason for the blocked connection. This ensures the concealment of Web Intelligence while providing a support mechanism for an IT staff Check Point Software Technologies Ltd. 7

8 Custom HTML Error Page Vulnerability 8: Insecure Storage Web applications frequently use cryptographic functions to protect information and credentials. These functions and the code to integrate them have proven difficult to code properly, frequently resulting in weak protection. Developers who are not trained in cryptographic programming are likely to make serious mistakes in the implementation of encryption functionality in Web applications. Such mistakes include Insecure storage of keys, certificates, and passwords Poor sources of randomness Attempting to invent a new encryption algorithm Failure to include support for encryption key changes and other required maintenance procedures Check Point has a long tradition of expertise and innovation in the field of cryptography. Its products include built-in support for protocols such as DES, DES3, AES, IPSEC, SSL, TLS, etc. Check Point products also provide the highest level of security and management capabilities for encryption functions, so that the burden of implementation cryptographic functionality is shifted from the Web application developer to Check Point. For Web applications the following solutions are available: The use of clientless VPN allows SSL termination of Web applications. Use of IPSEC VPNs allows excellent protection of communication which is transparent to Web applications Check Point Software Technologies Ltd. 8

9 Vulnerability 9: Denial of Service Attackers can consume Web application resources to a point where other legitimate users can no longer access or use the application. Attackers can also lock users out of their accounts or even cause the entire application to fail. Web applications are particularly susceptible to application-based denial of service (DoS) attacks. Such attacks can be launched by simply opening too many requests. A single host can generate enough requests to consume all available resources from the Web and application server. It is very difficult for the Web server to distinguish between a legitimate request and an attack. Using the same foundations and methodologies of NG with Application Intelligence, Web Intelligence verifies that a request is not malformed. This prevents most of the known HTTP attacks. In addition, due to the integration with SmartDefense, network-based attacks are easily mitigated. Using FloodGate Check Point s policy-based management solution--one can limit the throughput and bandwidth consumption of a specific URL and even put a quota on the amount of network sessions from a specific host, excluding known hosts. Vulnerability 10: Insecure Configuration Management Having a strong server configuration standard is critical to a secure Web application. Servers can have many configuration options that affect security and are not secure out-of-the-box. Configuring a modern Web application server and keeping it up-to-date with security patches can be a difficult task. This task is usually performed by Web developers whose main concern is application up-time. Multiple vulnerabilities can stem from improper configurations, under-used features that are enabled, sample files and executables left untouched, and unpatched server software. Check Points Solutions SmartDefense Header Cloaking allows administrators to hide the identity of the Web server from automatic scripts running across the Internet looking for vulnerable Web servers. While a dedicated hacker who targets your application can still identify the Web server type, most attacks come from script kiddies or worms that run automated scripting. Header Cloaking can easily fool many of these tools. The worm-catching capabilities in Check Point products ensure that even if your Web servers are not current with all patches, you are still protected from known worms. The SmartDefense Service ensures that your arsenal remains up-do-date with new patterns and defenses. Conclusion The vulnerabilities described by the OWASP Top Ten form the basis for most Internet-based attack exploits. Safeguarding against all 10 vulnerabilities goes a long way in protecting your network and data from malicious hackers. Check Point, by providing the products and tools necessary to defend against all 10 vulnerabilities, creates an comprehensive, easy-to-use, and easy-toadminister security solution for our customers. Note: Check Point solutions provide protection against additional attacks that are beyond the scope of the OWASP Top 10 (e.g., SYN floods, fragmentation attacks, DDoS, etc.), and therefore are not detailed in this paper Check Point Software Technologies Ltd. 9

10 About Check Point Software Technologies Check Point Software Technologies ( is the worldwide leader in securing the Internet. It is the confirmed market leader of both the worldwide VPN and firewall markets. Through its Next Generation product line, the company delivers a broad range ofintelligentperimeter, Internal and Web security solutions that protect business communications and resources for corporate networks and applications, remote employees, branch offices and partner extranets. The company s Zone Labs ( division is one of the most trusted brands in Internet security, creating awardwinning endpoint security solutions that protect millions of PCs from hackers, spyware and data theft. Extending the power of the Check Point solution is its Open Platform for Security (OPSEC), the industry s framework and alliance for integration and interoperability with best-of-breed solutions from over 350 leading companies. Check Point solutions are sold, integrated and serviced by a network of more than 2,300 Check Point partners in 92 countries. CHECK POINT OFFICES: International Headquarters: 3A Jabotinsky Street, 24th Floor Ramat Gan 52520, Israel Tel: Fax: info@checkpoint.com U.S. Headquarters: 800 Bridge Parkway Redwood City, CA Tel: ; Fax: URL: Check Point Software Technologies Ltd. All rights reserved. Check Point, Application Intelligence, Check Point Express, the Check Point logo, ClusterXL, ConnectControl, Connectra, CoSa, Cooperative Security Alliance, FireWall-1, FireWall-1 GX, FireWall-1 SecureServer, FloodGate-1, Hacker ID, INSPECT, INSPECT XL, InterSpect, IQ Engine, Open Security Extension, OPSEC, Provider-1, Safe@Home, Safe@Office, SecureClient, SecureKnowledge, SecurePlatform, SecurRemote, SecurServer, SecureUpdate, SecureXL, SiteManager-1, SmartCenter, SmartCenter Pro, SmartDashboard, SmartDefense, SmartLSM, SmartMap, SmartUpdate, SmartView, SmartView Monitor, SmartView Reporter, SmartView Status, SmartViewTracker, SofaWare, SSL Network Extender, UAM, User-to-Address Mapping, UserAuthority, VPN-1, VPN-1 Accelerator Card, VPN-1 Edge, VPN-1 Pro, VPN-1 SecureClient, VPN-1 SecuRemote, VPN-1 SecureServer, VPN-1 VSX, Web Intelligence, TrueVector, ZoneAlarm, Zone Alarm Pro, Zone Labs, the Zone Labs logo, AlertAdvisor, Cooperative Enforcement, IMsecure, Policy Lifecycle Management, Zone Labs Integrity and Smarter Security are trade-marks or registered trademarks of Check Point Software Technologies Ltd. or its affiliates. All other product names mentioned herein are trademarks or registered trademarks of their respective owners. The products described in this document are protected by U.S. Patent No. 5,606,668, 5,835,726 and 6,496,935 and may be protected by other U.S. Patents, foreign patents, or pending applications. June XX, 2004 PN: Check Point Software Technologies Ltd. 10