Web Application Vulnerabilities: How's Your . - Trend Micro

2y ago
12 Views
2 Downloads
2.79 MB
6 Pages
Last View : 22d ago
Last Download : 2m ago
Upload by : Sabrina Baez
Transcription

ACloud Security PrimerWeb Application VulnerabilitiesHOW’S YOUR BUSINESSON THE WEB?

Conducting Business on the WebEnterprises develop web applications to leverage the convenience offered byInternet technologies and meet customer demand. Web applications can be assimple as applications that facilitate customer contact or as complex as thosethat facilitate online auctions, medical record keeping, banking, and such. According to Gartner, 75% of all externalattacks occur at the application layer.1 According to CVEdetails.com, 10 productsassociated with web application deliveryand development are included inthe “Top 50 Products with ‘Distinct’Vulnerabilities” list.2 According to Netcraft, the most commonHTTP server is Apache (64%), followedby Microsoft IIS (14%).3123These applications process data and store results in a back-end databaseserver where business-relevant data such as customer information sits.Web applications, depending on their specific purpose, regularly interactwith customers, partners, and employees. Unfortunately, dependencies andinteractions between in-house and third-party resources, objects, and inputsinevitably introduce security holes.Enterprises continue to create and use web applications in order to provideuser-friendly interfaces to users utilizing available technologies. The followingfactors, which involve the development and upkeep of web applications,contribute to security risks: More complex transactions. More and more mission-critical processes,not just externally oriented ones such as sales and marketing, areleveraging Internet connectivity.http://www.sigist.org.il/ ml#more-6013 Orphaned web applications. Applications’ development teams aresometimes no longer with the company and can no longer address securityissues when these are found. Legacy applications. Older applications created before related securitypolicies were instituted may suddenly be exposed once web interfaces areadded to these. Short time to market. Rapid development and increased functionalityrequirements force developers to ship web applications without closelylooking at possible security holes.Window of Exposure Scenarios Custom-made web applications. In-house-developed applications aredifficult to standardize even within a company. Human error is always apossibility. Coding without security in mind. Security may have been overlooked inthe software development life cycle.At the same time, patch management problems such as those outlined in theTrendLabs Cloud Security Primer, “Maintaining Vulnerable Servers: What’sYour Window of Exposure?,” contribute to the difficulty of keeping even offthe-shelf web-related servers and databases updated with the latest patches.1Among these challenges are the need to test emergency patches prior todeployment, the choice to delay patch deployment if the patch proves unstable,or sometimes even the lack of security updates from the vendors themselves.Furthermore, the administration of web, application, and database serversalso adds security concerns. Running unnecessary services, using defaultconfigurations, enforcing weak passwords, and not reviewing permissionsare easily remedied poor practices that many IT administrators still make themistake of doing.1WEB APPLICATION tent/us/pdfs/business/white-papers/wp vulnerabilityshielding-primer.pdf1

The Weakest Link in Web 2.0 SecurityThe 2011 Trend Micro review of exploits and vulnerabilities predicted that thevolume of vulnerability exploits will continue to increase throughout 2012.2Attacks that take advantage of server and application vulnerabilities allowattackers to penetrate a network and potentially access an organization’sconfidential data.The Web is considered “stateless” in nature as web developers continuouslycreate websites that are primarily designed to be fast and scalable andintended for various users. As such, security becomes a second priority.Conversely, web applications that are built on top of the stateless unsecuredWeb are more secured. Application developers focus more on user experience,making applications more user specific, thus maintaining a “stateful” nature.How Vulnerable Are Your Servers?Apart from web applications, vulnerabilities residing in web and databaseservers can be also exploited by attackers to get inside a network or to preventan enterprise’s customers from accessing its website. Here are some recentattack samples:While Web 2.0 aids enterprisesin conducting business, italso introduces a plethora ofdamaging risks. Web server-related attacks Microsoft released an out-of-band update for a vulnerability inASP.NET that, when exploited, can cause a denial of service (DoS)and potentially take down a server.3 As such, this threat can disruptbusiness operations and potentially lead to financial loss. Last year, in a mass compromise attack dubbed “Lizamoon,” thousandsof websites were compromised, affecting numerous companiesin various industries. Malicious URLs were inserted to vulnerablewebsites through SQL injection, which led visitors to download FAKEAVand WORID malware.4 Furthermore, last February 2012, the Frenchconfectionery website, laduree.fr, was also compromised to infectvisitors’ systems with ransomware.5Potential Attacks That EnterprisesMay Encounter Injection A vulnerability in Apache HTTP Server (CVE-2011-3192),6 whenexploited, can allow cybercriminals to launch a DoS attack against avulnerable server with the mere act of sending an HTTP request.7 Cross-site scripting (XSS) Broken authentication and sessionmanagement Web application server-related attack Insecure direct object references An e-commerce website was injected with a malicious code thataffected nearly 300 view item pages showcasing gold-plated jewelry.8The said code led to a series of redirections that finally ended withthe download of various malware. However, because the code had amissing tag, the infection chain, which could have caused a massivemalware outbreak, failed to entirely execute. Cross-site request forgery (CSRF) Security misconfiguration Insecure cryptographic storage Failure to restrict URL access Insufficient transport layerprotection Unvalidated redirects and forwards11https://www.owasp.org/index.php/Top 10 2010-Main2345678WEB APPLICATION mitre.org/cgi-bin/cvename.cgi?name icro.com/missing-tag-foils-compromise/2

Database server-related attacks A vulnerability in Oracle Database Server’s TNS listener, which whensuccessfully exploited, does not require a user name and/or passwordto gain network access was also discovered.9 This allows an attacker topotentially access and steal corporate data.10 A security bug in previous versions of MySQL and MariaDB can allowan attacker to access a vulnerable database by submitting randompasswords.11These attacks do not only threaten to disrupt businesses or tamper with anenterprise’s image but can also lead to unauthorized access to and/or use of anorganization’s critical data.Figure 1: Security risk diagram for web applications and serversSecuring Web ApplicationsBaseline Web, Application, and Database Server Security PracticesGood web server security maintenance involves reviewing if you really needall the services that are set to run, enabling only relevant ports, using strongpasswords, and limiting access to the server.IT administrators should enforce security policies and audit all existing andfuture in-house-developed software for compliance, especially those that willhave some form of user interaction or input required on the Web. Too manyattacks succeed simply because the software developer did not set up userinput validation before processing. Web applications should ideally be coded assecurely as possible.Updating security patches for web servers and applications should be anestablished practice considering the speed by which exploits are created.However, there will be scenarios wherein patching an “always-up” machine isextremely difficult and costly to a business. Sometimes, a vulnerability will belong exploited before a patch is ever released.91011WEB APPLICATION /3

Vulnerability-Shielding SolutionsA range of solutions (e.g., web application scanners, database auditing andprotection [DAP] tools, database activity monitoring [DAM] tools, file integritymonitoring software, etc.) are made available to protect web applications.Understandably, each solution has its own strengths and focus. However, incertain instances, where defense against exploits is needed even if patches arenot yet available, the value of vulnerability shielding, aka “virtual patching,”is distinguished. This is also especially useful in easing patch managementdifficulties. By examining the incoming or outgoing traffic to and fromvulnerable applications, vulnerability-shielding solutions such as thoseembedded in Trend Micro Deep Security can correct traffic according to avulnerability signature.12Web Application Protection TechnologiesThe most common web application vulnerabilities lead to SQL injection andXSS attacks. Some web application protection technologies such as thosepresent in Deep Security can defend public-facing web servers and applicationsagainst these attacks.12WEB APPLICATION s/deep-security-datasheet-en.pdf4

TREND MICRO Trend Micro Incorporated (TYO: 4704; TSE: 4704), a global cloudsecurity leader, creates a world safe for exchanging digital informationwith its Internet content security and threat management solutions forbusinesses and consumers. A pioneer in server security with over20 years’ experience, we deliver top-ranked client, server and cloudbased security that fits our customers’ and partners’ needs, stopsnew threats faster, and protects data in physical, virtualized andcloud environments. Powered by the industry-leading Trend Micro Smart Protection Network cloud computing security infrastructure,our products and services stop threats where they emerge—from theInternet. They are supported by 1,000 threat intelligence expertsaround the globe.TRENDLABSSMTrendLabs is a multinational research, development, and supportcenter with an extensive regional presence committed to 24 x 7 threatsurveillance, attack prevention, and timely and seamless solutionsdelivery. With more than 1,000 threat experts and support engineersdeployed round-the-clock in labs located around the globe, TrendLabsenables Trend Micro to continuously monitor the threat landscapeacross the globe; deliver real-time data to detect, to preempt, and toeliminate threats; research on and analyze technologies to combat newthreats; respond in real time to targeted threats; and help customersworldwide minimize damage, reduce costs, and ensure businesscontinuity. 2012 by Trend Micro, Incorporated. All rights reserved. Trend Micro and the Trend Micro t-balllogo are trademarks or registered trademarks of Trend Micro, Incorporated. All other productor company names may be trademarks or registered trademarks of their owners.

TREND MICRO Trend Micro Incorporated (TYO: 4704; TSE: 4704), a global cloud security leader, creates a world safe for exchanging digital information with its Internet content security and threat management solutions for businesses and consumers. A pioneer in server security with over

Related Documents:

vulnerability management service which detects vulnerabilities in both web application and hosting infrastructure alike. Hybrid Scalable Assessments: edgescan detects both known (CVE) vulnerabilities and also web application vulnerabilities unique to the application being assessed due to our hybrid approach.

Compliance Management DDoS WAF Today's Web App Environment Web site & application security challenges across industry Source: The Web Application Security Consortium 95% of corporate Web apps have severe vulnerabilities. 80% of ALL active vulnerabilities are at the app layer The average time-to-fix for large organizations is 15-weeks

Features of WAFs - Building Blocks Signatures Network (DNS exploits, Solaris/Linux specific, ) Generic attack (directory traversal, web-cgi, web-php, ) Known web application vulnerabilities (CVE defined web app vulnerabilities, wikis, phpmyexplorer, ) Policy engine Supports alerting based on signatures, user/session information,

Towards Understanding Android System Vulnerabilities: . could be due to the difficulty of understanding low-level system vulnerabilities and the lack of analysis resources. The recent arise of bug bounty programs gives researchers a new source to systematically analyzing vulnerabilities. For example,

Each Microsoft Security Bulletin is comprised of one or more vulnerabilities, applying to one or more Microsoft products. Similar to previous reports, Remote Code Execution (RCE) accounts for the largest proportion of total Microsoft vulnerabilities throughout 2018. Of the 292 RCE vulnerabilities, 178 were considered Critical.

or web application that makes use of an SQL-based database, the vulnerability is one of the oldest, most prevalent and most dangerous of web application vulnerabilities. An attacker taking advantage of an SQLi vulnerability is essentially exploiting a weakness introduced into the application through poor web application development practices.

Independent Personal Pronouns Personal Pronouns in Hebrew Person, Gender, Number Singular Person, Gender, Number Plural 3ms (he, it) א ִוה 3mp (they) Sֵה ,הַָּ֫ ֵה 3fs (she, it) א O ה 3fp (they) Uֵה , הַָּ֫ ֵה 2ms (you) הָּ תַא2mp (you all) Sֶּ תַא 2fs (you) ְ תַא 2fp (you

The need for web application security Web applications and web services touted as the “next paradigm” in computing Web applications opened (literally) a can of worms HTTP is a vulnerable, stateless protocol unsuitable for persistent state applications A web server is by its own nature a public repository, with