Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Qg was guide
1. GUIDE
WEB
APPLICATION
SECURITY
How to Minimize the Risk of Attacks
Table of Contents
I. Summary 2
II. Overview of Web Application Scanning 2
III. Types of Web Application Vulnerabilities 3
IV. Detecting Web Application Vulnerabilities 4
V. Introducing QualysGuard® WAS 2.0 5
VI. Protect Your Web Applications 7
VII. About Qualys 7
2. Guide: Web Application Security; How to Minimize the Risk of Attacks page 2
Summary
Vulnerabilities in web applications are now the largest source of enterprise security attacks. Web application vulnerabilities
accounted for over 55% of all vulnerabilities disclosed in 2010, according to an IBM X-Force study. That may be the tip
of the iceberg as the study includes only commercial web applications.1 Stories about compromised sensitive data
frequently mention culprits such as “cross-site scripting,” “SQL injection,” and “buffer overflow.” Vulnerabilities like these
often fall outside the traditional expertise of network security managers. The relative obscurity of web application vulner-
abilities thus makes them useful for attacks. As many organizations have discovered, these attacks will evade traditional
enterprise network defenses unless you take new precautions.
To help you understand how to minimize these risks, Qualys provides this guide as a primer to web application security.
The guide surveys typical web application vulnerabilities, compares options for detection, and introduces the
QualysGuard Web Application Scanning solution – an on demand service from Qualys that automates detection of the
most prevalent vulnerabilities in custom web applications.
Overview of Web Application Security
Attacks on vulnerabilities in web applications began appearing almost from the beginning of the World Wide Web, in the
mid-1990s. Attacks are usually based on fault injection, which exploits vulnerabilities in a web application’s syntax and
semantics. Using a standard browser and basic knowledge of HTTP and HTML, an attacker attempts a particular exploit
by automatically varying a Uniform Resource Indicator (URI) link, which in turn could trigger an exploit such as SQL
injection or cross-site scripting.
http://example/foo.cgi?a=1
http://example/foo.cgi?a=1’ Example of SQL Injection
http://example/foo.cgi?a=<script>… Example of Cross-site Scripting (XSS)
Some attacks attempt to alter logical workflow. Attackers also execute these by automatically varying a URI.
http://example/foo.cgi?admin=false
http://example/foo.cgi?admin=true Example of increasing privileges
A significant number of attacks exploit vulnerabilities in syntax and semantics. You can discover many of these
vulnerabilities with an automated scanning tool. Logical vulnerabilities are very difficult to test with a scanning tool; these
require manual inspection of web application source code analysis and security testing. Web application security vulner-
abilities can stem from misconfigurations, bad architecture, or poor programming practices within commercial or custom
application code. Vulnerabilities may be in code libraries and design patterns of popular programming languages such as
Java, .NET, PHP, Python, Perl, and Ruby. These vulnerabilities can be complex and may occur under many different
circumstances. Using a web application firewall might control effects of some exploits but will not resolve the underlying
vulnerabilities.
1 IBM ISS X-Force 2010 Mid-yearTrend & Risk Report
3. Guide: Web Application Security; How to Minimize the Risk of Attacks page 3
Types of Web Application Vulnerabilities The number of new vulnerability
disclosures in the first half of
Web applications may have any of two dozen types of vulnerabilities. Security
the year is at the highest level
consultants who do penetration testing may focus on finding top vulnerabilities,
ever recorded. This is in stark
such as those in a list published by the Open Web Application Security Project
contrast to the 2009 mid-year
(www.owasp.org), the OWASP Top 10. Other efforts to systematically organize
report when new vulnerability
web application vulnerabilities include more than 30 granular threat classifications
disclosures were at the lowest
published by the Web Application Security Consortium (www.webappsec.org).
level in the previous four years.
The following descriptions of web vulnerabilities are modeled on a WASC schema.
Web application vulnerabilities—
particularly cross-site scripting
Authentication – stealing user account identities
and SQL injection—continue to
n Brute Force attack automates a process of trial and error to guess a dominate the threat landscape.
person’s username, password, credit-card number or cryptographic key.
IBM X-Force®
n Insufficient Authentication permits an attacker to access sensitive 2010 Mid-year Trend & Risk Report
content or functionality without proper authentication.
n Weak Password Recovery Validation permits an attacker to illegally
obtain, change or recover another user’s password.
Authorization – illegal access to applications
n Credential / Session Prediction is a method of hijacking or impersonating
a user.
n Insufficient Authorization permits access to sensitive content or
functionality that should require more access control restrictions.
n Insufficient Session Expiration permits an attacker to reuse old session
credentials or session IDs for authorization.
n Session Fixation attacks force a user’s session ID to an explicit value.
Client-side Attacks – illegal execution of foreign code
n Content Spoofing tricks a user into believing that certain content appearing
on a web site is legitimate and not from an external source.
n Cross-site Scripting (XSS) forces a web site to echo attacker-supplied
executable code, which loads into a user’s browser.
Command Execution – hijacks control of web application
n Buffer Overflow attacks alter the flow of an application by overwriting
parts of memory.
n Format String Attack alters the flow of an application by using string
formatting library features to access other memory space.
n LDAP Injection attacks exploit web sites by constructing LDAP
statements from user-supplied input.
n OS Commanding executes operating system commands on a web site
by manipulating application input.
4. Guide: Web Application Security; How to Minimize the Risk of Attacks page 4
n SQL Injection constructs illegal SQL statements on a web site application Enterprise-class web applica-
from user-supplied input. tion scanning solutions are
broader, and should include a
n SSI Injection (also called Server-side Include) sends code into a web wide range of tests for major
application, which is later executed locally by the web server.
web application vulnerability
n XPath Injection constructs XPath queries from user-supplied input. classes, such as SQL injection,
cross-site scripting, and directory
Information Disclosure – shows sensitive data to attackers traversals. The OWASP Top 10
n Directory Indexing is an automatic directory listing / indexing web server is a good starting list of major
function that shows all files in a requested directory if the normal base vulnerabil¬ities, but an enter-
file is not present. prise class solution shouldn’t
n Information Leakage occurs when a web site reveals sensitive data such limit itself to just one list or
as developer comments or error messages, which may aid an attacker in category of vulnerabilities. An
exploiting the system. enteprise solution should also
n Path Traversal forces access to files, directories and commands that be capable of scanning multiple
potentially reside outside the web document root directory. applications, tracking results
over time, providing robust
n Predictable Resource Location uncovers hidden web site content and reporting (especially compli-
functionality.
ance reports), and providing
Logical Attacks – interfere with application usage reports customized for local
requirements.
n Abuse of Functionality uses a web site’s own features and functionality
to consume, defraud, or circumvent access control mechanisms. Securosis.com
Building a Web Application Security
n Denial of Service (DoS) attacks prevent a web site from serving normal Program Whitepaper
user activity.
n Insufficient Anti-automation is when a web site permits an attacker to
automate a process that should only be performed manually.
n Insufficient Process Validation permits an attacker to bypass or circumvent
the intended flow of an application.
Detecting Web Application Vulnerabilities
There is no “silver bullet” to detecting web application vulnerabilities. The
strategy for their detection is identical to the multi-layer approach used for
security on a network. Detection and remediation of some vulnerabilities
requires source code analysis, particularly for complex enterprise-scale web
applications. Detection of other vulnerabilities may also require on-site
penetration testing. As mentioned earlier, the most prevalent web application
vulnerabilities can also be detected with an automated scanner. An automated
web application vulnerability scanner both supplements and complements
manual forms of testing. It provides four key benefits:
n Lower total cost of operations by automating repeatable testing
processes
5. Guide: Web Application Security; How to Minimize the Risk of Attacks page 5
n Close security loopholes by discovering and identifying rogue web applications
n Understand the security risks for your most public and accessible IT assets
n Drive secured coding practices for custom application development
A scanner does not have access to a web application’s source code, so the only way it can detect vulnerabilities is by
performing likely attacks on the target application. Time required for scanning varies, but doing a broad simulated attack
on an application takes significantly longer than doing a network vulnerability scan against a single IP. A major requirement
for a web application vulnerability scanner is comprehensive coverage of the target application’s functionality. Incomplete
coverage will cause the scanner to overlook existing vulnerabilities.
Introducing QualysGuard® WAS 2.0
The QualysGuard Web Application Scanning (WAS) solution is an on demand service integrated into the QualysGuard
security and compliance Security-as-a-Service (SaaS) suite. Use of the QualysGuard WAS presumes no specialized
knowledge of web security. The service allows a network security or IT administrator to execute comprehensive, accurate
vulnerability scans on custom web applications such as shopping carts, forms, login pages, and other types of dynamic
content. The broad scope of coverage focuses tests on Web application security.
Figure 1: The QualysGuard WAS 2.0 Dashboard Figure 2: Scan Management view within
QualysGuard WAS 2.0
6. Guide: Web Application Security; How to Minimize the Risk of Attacks page 6
Key Benefits
QualysGuard WAS helps organizations catalog web applications within their enterprise and get an inventory of their
applications – no matter where they reside. Then, QualysGuard WAS automates repeatable techniques used to identify
the most prevalent web vulnerabilities, such as SQL injection and cross-site scripting in web applications. It combines
pattern recognition and observed behaviors to accurately identify and verify vulnerabilities. The QualysGuard WAS
service identifies and profiles login forms, session state, error pages, and other customized features of the target
application – even if it extends across multiple web sites. This site profile data helps QualysGuard WAS to adapt to
changes as the web application matures. Adaptability enables the scanner to be used against unknown or legacy web
applications that may carry little information about error pages or other behavior. As a result, QualysGuard WAS
delivers accurate detection and reduces false positives. The automated nature of QualysGuard WAS enables regular
testing that produces consistent results and easily scales for large numbers of web sites.
Feature Highlights
QualysGuard WAS offers comprehensive capabilities to
assess, track, and report web application vulnerabilities.
Key features include:
n Crawling & Link Discovery – Embedded browser crawls
complex sites. Reaches wide coverage of the site’s
functionality by sampling redundant and related links.
n Authentication – Automatically finds and authenticates to
login forms. Maintains an authenticated session. Support
for server-based authentication (Basic, Digest, NTLM)
including SSL client certificates.
Figure 3: Scan Summary results within
QualysGuard WAS 2.0
n Exclusion Lists – Use blacklists and whitelists to guarantee
coverage and prevent the crawler from hitting certain links
or areas of the site.
n Performance – User-determined bandwidth level for parallel
scanning to control impact on application performance.
Smart vulnerability checks skip unnecessary tests.
n Sensitive Content – Search for privacy- or security-related
content within the site’s HTML.
n Accurate Vulnerability Tests – Minimizes false positives by
profiling the target’s behavior. Uses multiple steps to verify
discoveries.
n Site Discovery & Management – Discover web servers
across a network. Manage scores of web applications from Figure 4: QualysGuard WAS 2.0 – Detailed Scan Results
a unified interface.
