Contemporary Web Application Attacks Ivan Pang Senior Consultant Edvance Limited
Agenda How Web Application Attack impact to your business? What are the common attacks? What is Web Application Firewall (WAF)? How can we select the right WAF? Edvance Confidential 2
How Web Application Attack impact to your business What are the attacker going to do? Discover any valuable information Credit Card information, personal information, corporation financial information On-line Service interruption Denial of Service Damage of corporate image Looking for some Web Servers to launch Attacks Edvance Confidential 3
How attackers launch attacks? The threat is evolving Well funded Well-organized Sophisticated Automated attacks are the new frontier Large scale Shifting locations Shifting techniques IBM Internet Security Systems, X-Force 2009 Mid-Year Trend and Risk Report Edvance Confidential 4
What are the common attacks? Top 10 Common Attacks to Web Application (According to OWASP 2010 rc1) http://www.owasp.org/index.php/top_10 Edvance Confidential 5
How bad the damage can be done TYPICAL WEB ATTACK DEMO Edvance Confidential 6
Attack Step one Understand Web Server & Database Edvance Confidential 7
Attack Step one Understand Web Server & Database Edvance Confidential 8
Try to capture other cookie information Cross-site Scripting Edvance Confidential 9
Try to capture other cookie information Cross-site Scripting Edvance Confidential 10
Bypass login authentication SQL Injection Edvance Confidential 11
Bypass login authentication SQL Injection Edvance Confidential 12
Extract what data you want SQL Injection Edvance Confidential 13
Extract what data you want SQL Injection Edvance Confidential 14
Extract what data you want SQL Injection Edvance Confidential 15
Extract what data you want SQL Injection Edvance Confidential 16
Extract what data you want SQL Injection Edvance Confidential 17
Extract what data you want SQL Injection Edvance Confidential 18
Shutdown database server Edvance Confidential 19
Shutdown database server Edvance Confidential 20
Why Web Application Firewall Web Application Firewalls alone detect attacks against applications! Traditional firewalls only detect network attacks Only inspect IP address, port/service number IDS products only detect known signatures No application understanding; high rate of false positives/negatives No user/session tracking; No protection of SSL traffic Data Application (OSI Layer 7+) Protocol Network Protocols (OSI Layer 4 6) Network Access (OSI Layer 1 3)
How to choose the right Web Application Firewall WAF SELECTION CRITERIA Edvance Confidential 22
How to choose the right WAF? Throughput and latency Ease of use Reporting Depth of protection False positives and negatives Price Edvance Confidential 23
Common WAF requirements of Customers Security: SQLi, Cross Site Scripting, Cross Site Request Forgery, etc mitigation, signature is not enough False positive correction with minimal security impact Detailed Alert/Violation forensics Anonymous proxy and Botnet awareness Automated vulnerability scanner integration Track web username Automatic Security Update Management/Reporting Central management of policies, alerts, reports, etc Flexible security policy assignment and creation Effective reporting system Custom reporting capabilities Flexible in deployment mode Edvance Confidential 24
Deployment mode Critical Factor of performance Transparent Inline Bridge Supports full enforcement Data Center High performance, low latency Fail-open interfaces Transparent & Reverse Proxy High performance for content modification URL rewriting, cookie signing, SSL termination INTERNET Switch Non-inline Deployment Reverse Non-Inline Proxy Bridge Deployment Primarily for monitoring, zero network latency Software mode installation Edvance Confidential 25
Preemptive protection Attack Source Feeds Security Research Team Hacker A Malicious/ TOR IP Application vulnerability recon WAF Hacker B Anonymous Proxy Zero Day Attack Hacker C Phishing Site Phishing Incident Edvance Confidential 26
Q & A SECTION Edvance Confidential 27