Guide Web Application Security How To Minimize Prevalent .
guide :Web Application Security —How to Minimize Prevalent Riskof AttacksTable of ContentsI. Summary2II. Primer on Web App Security2III. Types of Web App Vulnerabilities3IV. Detecting Web App Vulnerabilities5V. QualysGuard WAS AutomatesDetection of Vulnerabilities6IV. Protect Your Web Applications7V. About Qualys8
Web Application Security: How to Minimize Prevalent Risks of AttackSummaryVulnerabilities in web applications are now the largest vector of enterprise securityattacks. Last year, almost 55% of vulnerability disclosures affected web applications.1At year end, 74% of web application vulnerabilities had no available patch forremediation, according to that report. Stories about exploits that compromisesensitive data frequently mention culprits such as “cross-site scripting,” “SQLinjection,” and “buffer overflow.” Vulnerabilities like these fall often outside thetraditional expertise of network security managers. The relative obscurity of webapplication vulnerabilities thus makes them useful for attacks. As many organizationshave discovered, these attacks will evade traditional enterprise network defensesunless you take new precautions. To help you understand how to minimize theserisks, Qualys provides this guide as a primer to web application security. The guidesurveys typical web application vulnerabilities, compares options for detection, andintroduces the QualysGuard Web Application Scanning solution – a new on demandservice from Qualys that automates detection of the most prevalent vulnerabilitiesin custom web applications.Primer on Web Application SecurityAttacks on vulnerabilities in web applications began appearing almost from thebeginning of the World Wide Web, in the mid-1990s. Attacks are usually based onfault injection, which exploits vulnerabilities in a web application’s syntax andsemantics. Using a standard browser and basic knowledge of HTTP and HTML, anattacker attempts a particular exploit by automatically varying a Uniform ResourceIndicator (URI) link, which in turn could trigger an exploit such as SQL injection orcross-site scripting.http://example/foo.cgi?a 1http://example/foo.cgi?a 1’http://example/foo.cgi?a script SQL Injection Cross-site Scripting (XSS)Some attacks attempt to alter logical workflow. Attackers also execute these byautomatically varying a URI.http://example/foo.cgi?admin falsehttp://example/foo.cgi?admin true Increase privilegesA significant number of attacks exploit vulnerabilities in syntax and semantics. Youcan discover many of these vulnerabilities with an automated scanning tool.Logical vulnerabilities are very difficult to test with a scanning tool; these requiremanual inspection of web application source code analysis and security testing.Web application security vulnerabilities usually stem from programming errors witha web application programming language (e.g., Java, .NET, PHP, Python, Perl, andRuby), a code library, design pattern, or architecture.1IBM ISS X-Force 2008 Trend & Risk Report dreports/xforce-2008-annual-report.pdfpage 2
Web Application Security: How to Minimize Prevalent Risks of AttackThese vulnerabilities can be complex and may occur under many circumstances.Using a web application firewall might control effects of some exploits but will notresolve the underlying vulnerabilities.Types of Web Application VulnerabilitiesWeb applications may have any of two dozen types of vulnerabilities. Securityconsultants who do penetration testing may focus on finding top vulnerabilities,such as those in a list published by the Open Web Application Security Project(www.owasp.org). Other efforts to systematically organize web applicationvulnerabilities include six categories published by the Web Application SecurityConsortium (www.webappsec.org). The following descriptions of web vulnerabilitiesare modeled on the WASC schema.Authentication – stealing user account identitiesnnnBrute Force attack automates a process of trial and error to guess aperson’s username, password, credit-card number or cryptographic key.Insufficient Authentication permits an attacker to access sensitivecontent or functionality without proper authentication.Weak Password Recovery Validation permits an attacker to illegallyobtain, change or recover another user’s password.Authorization – illegal access to applicationsnnnnCredential / Session Prediction is a method of hijacking or impersonatinga user.Insufficient Authorization permits access to sensitive content orfunctionality that should require more access control restrictions.Insufficient Session Expiration permits an attacker to reuse old sessioncredentials or session IDs for authorization.Session Fixation attacks force a user’s session ID to an explicit value.page 3“Enterprise-class web applicationscanning solutions are broader, andshould include a wide range of testsfor major web application vulnerabilityclasses, such as SQL injection,cross-site scripting, and directorytraversals. The OWASP Top 10 is agood starting list of major vulnerabilities, but an enterprise class solutionshouldn’t limit itself to just one list orcategory of vulnerabilities. An enterprise solution should also be capableof scanning multiple applications,tracking results over time, providingrobust reporting (especially compliance reports), and providing reportscustomized for local requirements.Building a Web Application SecurityProgram WhitepaperSecurosis.com”
Web Application Security: How to Minimize Prevalent Risks of Attackpage 4Client-side Attacks – illegal execution of foreign codennContent Spoofing tricks a user into believing that certain content appearing on a web site is legitimate and notfrom an external source.Cross-site Scripting (XSS) forces a web site to echo attacker-supplied executable code, which loads into auser’s browser.Command Execution – hijacks control of web applicationnnBuffer Overflow attacks alter the flow of an application by overwriting parts of memory.Format String Attack alters the flow of an application by using string formatting library features to access othermemory space.nLDAP Injection attacks exploit web sites by constructing LDAP statements from user-supplied input.nOS Commanding executes operating system commands on a web site by manipulating application input.nSQL Injection constructs illegal SQL statements on a web site application from user-supplied input.nnSSI Injection (also called Server-side Include) sends code into a web application, which is later executed locallyby the web server.XPath Injection constructs XPath queries from user-supplied input.Information Disclosure – shows sensitive data to attackersnnnnDirectory Indexing is an automatic directory listing / indexing web server function that shows all files in arequested directory if the normal base file is not present.Information Leakage occurs when a web site reveals sensitive data such as developer comments or errormessages, which may aid an attacker in exploiting the system.Path Traversal forces access to files, directories and commands that potentially reside outside the webdocument root directory.Predictable Resource Location uncovers hidden web site content and functionality.
Web Application Security: How to Minimize Prevalent Risks of AttackLogical Attacks – interfere with application usagennnnAbuse of Functionality uses a web site’s own features and functionality toconsume, defraud or circumvent access control mechanisms.Denial of Service (DoS) attacks prevent a web site from serving normaluser activity.Insufficient Anti-automation is when a web site permits an attacker toautomate a process that should only be performed manually.Insufficient Process Validation permits an attacker to bypass orcircumvent the intended flow of an application.Detecting Web Application VulnerabilitiesThere is no “silver bullet” to detecting web application vulnerabilities. The strategyfor their detection is identical to the multi-layer approach used for security on anetwork. Detection and remediation of some vulnerabilities requires source codeanalysis, particularly for complex enterprise-scale web applications. Detection ofother vulnerabilities may also require on-site penetration testing. As mentionedearlier, the most prevalent web application vulnerabilities can also be detected withan automated scanner.An automated web application vulnerability scanner both supplements andcomplements manual forms of testing. It provides five key benefits:nLowers total cost of operations by automating repeatable testing processesnIdentifies vulnerabilities of syntax and semantics in custom web applicationsnPerforms authenticated crawlingnProfiles the target applicationnEnsures accuracy by effective reduction of false positives and false negativesA scanner does not have access to a web application’s source code, so the onlyway it can detect vulnerabilities is by performing likely attacks on the targetapplication. Time required for scanning varies, but doing a broad simulated attackon an application takes significantly longer than doing a network vulnerability scanagainst a single IP. A major requirement for a web application vulnerability scanneris comprehensive coverage of the target application’s functionality. Incompletecoverage will cause the scanner to overlook existing vulnerabilities.page 5“The number of vulnerabilities affecting Web applications has grown at astaggering rate. In 2008, vulnerabilities affecting Web server applicationsaccounted for 54 percent of all vulnerability disclosures and were oneof the primary factors in the overallgrowth of vulnerability disclosuresduring the year.”IBM X-Force 2008 Trend & Risk Report
Web Application Security: How to Minimize Prevalent Risks of AttackQualysGuard WAS Automatically DetectsMajor Web Application VulnerabilitiesThe QualysGuard Web Application Scanning (WAS) solution is an on demandservice integrated into the QualysGuard security and compliance Security-as-aService (SaaS) suite. Use of the QualysGuard WAS presumes no specializedknowledge of web security. The service allows a network security or IT administratorto execute comprehensive, accurate vulnerability scans on custom web applicationssuch as shopping carts, forms, login pages, and other types of dynamic content.The broad scope of coverage focuses tests on Web application security.Key Benefits. WAS automates repeatable techniques used to identify the mostprevalent web vulnerabilities, such as SQL injection and cross-site scripting. Itcombines pattern recognition and observed behaviors to accurately identify andverify vulnerabilities. The WAS service identifies and profiles login forms, sessionstate, error pages, and other customized features of the target application – even ifit extends across multiple web sites. This site profile data helps WAS to adapt tochanges as the web application matures. Adaptability enables the scanner to beused against unknown or legacy web applications that may carry little informationabout error pages or other behavior. As a result, WAS delivers highly accuratedetection and reduces false positives. The automated nature of Web ApplicationScanning enables regular testing that produces consistent results and easily scalesfor large numbers of web sites.Current Features. The table describes comprehensive capabilities inQualysGuard WAS to assess and track web application vulnerabilities. Qualysplans to add other features during Q2/Q3 2009.Crawling & LinkDiscoveryEmbedded web crawler parses HTML and someJavaScript to extract links. Automatically balancesbreadth and depth of discovered links to crawl up to5,000 links per web application.AuthenticationHTTP Basic and NTLM server-based authentication.Simple form authentication.Black ListPrevents crawler from visiting certain links in a webapplication.White ListInstructs the crawler to only visit links explicitly definedin this list.PerformanceTuningUser-determined bandwidth level for parallel scanningto control impact on application performance.Sensitive ContentEnables user-specified expression search for contentin HTML, such as a Social Security Numbers.page 6
Web Application Security: How to Minimize Prevalent Risks of AttackReports such as the Web Application Scorecard provide big-picture and drill-downvisibility on vulnerabilities for each web applicationOperations. QG WAS is delivered as an on demand service fully integrated withthe QualysGuard solutions already in use by thousands of customers for vulnerabilitymanagement and policy compliance. Users can manage web applications, launchscans, and generate reports with the familiar interface of the QualysGuard webinterface. WAS scans may be pre-scheduled or executed on demand. The WASservice can be scaled to the largest web applications hosted anywhere in theworld. Account rights management allows an organization to centrally controlwhich web applications may be scanned by individual users.Finally, with QualysGuard WAS, at least one person in your organization must beresponsible for managing remediation of vulnerabilities found in your web applications.Protect Your Web ApplicationsThe QualysGuard Web Application Scanning service will help your organizationimmediately begin identifying the most prevalent security vulnerabilities open tocriminal exploit. The scanner will be a powerful supplement to existing securityefforts such as source code analysis and penetration testing. The latter controls arenecessary, but QualysGuard WAS will automate detection testing for the majority ofthreats – the kinds you read about when data thieves breach confidential information via web applications. In addition to comprehensive testing and accuratedetection, QualysGuard WAS is cost effective. Just like QualysGuard, WAS is aneasy-to-use on demand service allowing administrators to execute scans withoutany special knowledge of web application security.page 7
Web Application Security: How to Minimize Prevalent Risks of AttackQualysGuard WAS trials are available now. General public release is scheduled forApril 2009. If you would like a free trial of the QualysGuard WAS, please contactQualys to get started.About QualysQualys, Inc. is the leading provider of on demand IT security risk and compliancemanagement solutions – delivered as a service. Qualys’ Software-as-a-Servicesolutions are deployed in a matter of hours anywhere in the world, providingcustomers an immediate and continuous view of their security and compliancepostures. The QualysGuard service is used today by more than 3,500 organizationsin 85 countries, including 40 of the Fortune Global 100 and performs more than200 million IP audits per year. Qualys has the largest vulnerability managementdeployment in the world at a Fortune Global 50 company. Qualys has establishedstrategic agreements with leading managed service providers and consultingorganizations including BT, Etisalat, Fujitsu, IBM, I(TS)2, LAC, SecureWorks,Symantec, Tata Communications, TELUS and VeriSign.For more information, please visit www.qualys.com.www.qualys.comUSA – Qualys, Inc. 1600 Bridge Parkway, Redwood Shores, CA 94065 T: 1 (650) 801 6100 sales@qualys.comUK – Qualys, Ltd. 224 Berwick Avenue, Slough, Berkshire, SL1 4QT T: 44 (0) 1753 872101Germany – Qualys GmbH München Airport, Terminalstrasse Mitte 18, 85356 München T: 49 (0) 89 97007 146France – Qualys Technologies Maison de la Défense, 7 Place de la Défense, 92400 Courbevoie T: 33 (0) 1 41 97 35 70Japan – Qualys Japan K.K. Pacific Century Place 8F, 1-11-1 Marunouchi, Chiyoda-ku, 100-6208 Tokyo T: 81 3 6860 8296United Arab Emirates – Qualys FZE P.O Box 10559, Ras Al Khaimah, United Arab Emirates T: 971 7 204 1225China – Qualys Hong Kong Ltd. Suite 1901, Tower B, TYG Center, C2 North Rd, East Third Ring Rd, Chaoyang District, Beijing T: 86 10 84417495 Qualys, the Qualys logo and QualysGuard are registered trademarks of Qualys, Inc. All other trademarks are the property of their respective owners. 03/09page 8
risks, Qualys provides this guide as a primer to web application security. The guide surveys typical web application vulnerabilities, compares options for detection, and introduces the QualysGuard Web Application Scanning solution – a new on demand service from Qualys that
Application Security Testing (DAST) Origin Analysis / Software Composition Analysis (SCA) Mobile Application Security Testing (MAST) Application Security Testing as a Service (ASTaaS) Correlation Tools Application Security Testing Orchestration (ASTO) Database Security Scanning Test Coverage Analyzers Interactive Application Security Testing .
security - yet 75% of attacks come through web applications - market is now focusing on spending on web application security Mitre group indicates that application issues (XSS and SQL Injection ) are the top 2 hacks Most websites are vulnerable (Watchfire/Gartner) Cost of Application Security Breach Security Breach
Web Application Penetration Tests: Web application security testing is focused on evaluating the security of a web application. The process involves an active analysis and exploitation of the web application for any weaknesses, technical flaws, or vulnerabilities in accordance with the OWASP Testing Guide 4.1.
ZscalerTM Web Security Zscaler Web Security, part of the Zscaler Cloud Security Platform, delivers the complete security stack as a cloud service, eliminating the cost and complexity of traditional secure web gateway appliances. By moving security to a globally distributed cloud, Zscaler brings the Internet and web gateway closer to the user .
address Web application security is with an automated solution, where the security policy is driven directly by the Web application itself and the security solution understands the Web application as a whole. Ensuring the integrity of interactions between the user and the application
Hacking and Security. Whether you are a beginner or an experienced ethical hacker, the Web Application Hacking and Security course offers something for all skill levels. You will hack through a variety of challenges from SQL Injection, to Security Misconfigurations, to Cross-Site-Scripting, and more. 3 WEB APPLICATION HACKING & SECURITY
HPE Secure IoT Application Lifecycle IoT Endpoints Connectivity Edge Computing Visualization IoT Cloud / Platform HPE Security ArcSight (Security Intelligence)HPE Security Fortify (Application Security)HPE Security -Data Security (Voltage/Atalla) HPE Aruba (Communication Security)HPE ADM (Application Delivery Management)HPE ITOM (IT Operations Management)
A. Thomas Perhacs is the author, creator, and visionary behind the Mind Force Method. He is also the President of Velocity Group Publishing and Director of The
