guide :

Web Application Security —

How to Minimize Prevalent Risk
of Attacks

Table of Contents

I. Summary 2

II. Primer on Web App Security 2

III. Types of Web App Vulnerabilities 3

IV. Detecting Web App Vulnerabilities 5

V. QualysGuard WAS Automates 6

Detection of Vulnerabilities

IV. Protect Your Web Applications 7

V. About Qualys 8
Web Application Security: How to Minimize Prevalent Risks of Attack page 2

Summary
Vulnerabilities in web applications are now the largest vector of enterprise security
attacks. Last year, almost 55% of vulnerability disclosures affected web applications.1
At year end, 74% of web application vulnerabilities had no available patch for
remediation, according to that report. Stories about exploits that compromise
sensitive data frequently mention culprits such as “cross-site scripting,” “SQL
injection,” and “buffer overflow.” Vulnerabilities like these fall often outside the
traditional expertise of network security managers. The relative obscurity of web
application vulnerabilities thus makes them useful for attacks. As many organizations
have discovered, these attacks will evade traditional enterprise network defenses
unless you take new precautions. To help you understand how to minimize these
risks, Qualys provides this guide as a primer to web application security. The guide
surveys typical web application vulnerabilities, compares options for detection, and
introduces the QualysGuard Web Application Scanning solution – a new on demand
service from Qualys that automates detection of the most prevalent vulnerabilities
in custom web applications.

Primer on Web Application Security

Attacks on vulnerabilities in web applications began appearing almost from the
beginning of the World Wide Web, in the mid-1990s. Attacks are usually based on
fault injection, which exploits vulnerabilities in a web application’s syntax and
semantics. Using a standard browser and basic knowledge of HTTP and HTML, an
attacker attempts a particular exploit by automatically varying a Uniform Resource
Indicator (URI) link, which in turn could trigger an exploit such as SQL injection or
cross-site scripting.

http://example/foo.cgi?a=1
http://example/foo.cgi?a=1’ < SQL Injection
http://example/foo.cgi?a=<script> … < Cross-site Scripting (XSS)

Some attacks attempt to alter logical workflow. Attackers also execute these by
automatically varying a URI.

http://example/foo.cgi?admin=false
http://example/foo.cgi?admin=true < Increase privileges

A significant number of attacks exploit vulnerabilities in syntax and semantics. You

can discover many of these vulnerabilities with an automated scanning tool.
Logical vulnerabilities are very difficult to test with a scanning tool; these require
manual inspection of web application source code analysis and security testing.
Web application security vulnerabilities usually stem from programming errors with
a web application programming language (e.g., Java, .NET, PHP, Python, Perl, and
Ruby), a code library, design pattern, or architecture.

1 IBM ISS X-Force 2008 Trend & Risk Report http://www-935.ibm.com/services/us/iss/xforce/trendreports/xforce-2008-annual-report.pdf

Web Application Security: How to Minimize Prevalent Risks of Attack page 3

These vulnerabilities can be complex and may occur under many circumstances.
Using a web application firewall might control effects of some exploits but will not
“ Enterprise-class web application
scanning solutions are broader, and
should include a wide range of tests
resolve the underlying vulnerabilities.
for major web application vulnerability
classes, such as SQL injection,
Types of Web Application Vulnerabilities cross-site scripting, and directory
traversals. The OWASP Top 10 is a
Web applications may have any of two dozen types of vulnerabilities. Security
good starting list of major vulnerabil-
consultants who do penetration testing may focus on finding top vulnerabilities, ities, but an enterprise class solution
such as those in a list published by the Open Web Application Security Project shouldn’t limit itself to just one list or
(www.owasp.org). Other efforts to systematically organize web application category of vulnerabilities. An enter-
vulnerabilities include six categories published by the Web Application Security prise solution should also be capable
of scanning multiple applications,
Consortium (www.webappsec.org). The following descriptions of web vulnerabilities
tracking results over time, providing
are modeled on the WASC schema.
robust reporting (especially compli-
ance reports), and providing reports

Authentication – stealing user account identities

customized for local requirements.

Building a Web Application Security

”
Program Whitepaper
n Brute Force attack automates a process of trial and error to guess a Securosis.com
person’s username, password, credit-card number or cryptographic key.

n Insufficient Authentication permits an attacker to access sensitive
content or functionality without proper authentication.

n Weak Password Recovery Validation permits an attacker to illegally

obtain, change or recover another user’s password.

Authorization – illegal access to applications

n Credential / Session Prediction is a method of hijacking or impersonating
a user.

n Insufficient Authorization permits access to sensitive content or

functionality that should require more access control restrictions.

n Insufficient Session Expiration permits an attacker to reuse old session

credentials or session IDs for authorization.

n Session Fixation attacks force a user’s session ID to an explicit value.

Web Application Security: How to Minimize Prevalent Risks of Attack page 4

Client-side Attacks – illegal execution of foreign code

n Content Spoofing tricks a user into believing that certain content appearing on a web site is legitimate and not
from an external source.

n Cross-site Scripting (XSS) forces a web site to echo attacker-supplied executable code, which loads into a
user’s browser.

Command Execution – hijacks control of web application

n Buffer Overflow attacks alter the flow of an application by overwriting parts of memory.

n Format String Attack alters the flow of an application by using string formatting library features to access other
memory space.

n LDAP Injection attacks exploit web sites by constructing LDAP statements from user-supplied input.

n OS Commanding executes operating system commands on a web site by manipulating application input.

n SQL Injection constructs illegal SQL statements on a web site application from user-supplied input.

n SSI Injection (also called Server-side Include) sends code into a web application, which is later executed locally
by the web server.

n XPath Injection constructs XPath queries from user-supplied input.

Information Disclosure – shows sensitive data to attackers

n Directory Indexing is an automatic directory listing / indexing web server function that shows all files in a
requested directory if the normal base file is not present.

n Information Leakage occurs when a web site reveals sensitive data such as developer comments or error
messages, which may aid an attacker in exploiting the system.

n Path Traversal forces access to files, directories and commands that potentially reside outside the web
document root directory.

n Predictable Resource Location uncovers hidden web site content and functionality.
Web Application Security: How to Minimize Prevalent Risks of Attack page 5

Logical Attacks – interfere with application usage

“ The number of vulnerabilities affect-
ing Web applications has grown at a
n Abuse of Functionality uses a web site’s own features and functionality to staggering rate. In 2008, vulnerabili-
consume, defraud or circumvent access control mechanisms. ties affecting Web server applications
accounted for 54 percent of all vul-
n Denial of Service (DoS) attacks prevent a web site from serving normal nerability disclosures and were one
of the primary factors in the overall
user activity.
growth of vulnerability disclosures

n Insufficient Anti-automation is when a web site permits an attacker to

during the year.
”
automate a process that should only be performed manually. IBM X-Force® 2008 Trend & Risk Report

n Insufficient Process Validation permits an attacker to bypass or
circumvent the intended flow of an application.

Detecting Web Application Vulnerabilities

There is no “silver bullet” to detecting web application vulnerabilities. The strategy
for their detection is identical to the multi-layer approach used for security on a
network. Detection and remediation of some vulnerabilities requires source code
analysis, particularly for complex enterprise-scale web applications. Detection of
other vulnerabilities may also require on-site penetration testing. As mentioned
earlier, the most prevalent web application vulnerabilities can also be detected with
an automated scanner.

An automated web application vulnerability scanner both supplements and

complements manual forms of testing. It provides five key benefits:

n Lowers total cost of operations by automating repeatable testing processes

n Identifies vulnerabilities of syntax and semantics in custom web applications
n Performs authenticated crawling
n Profiles the target application
n Ensures accuracy by effective reduction of false positives and false negatives

A scanner does not have access to a web application’s source code, so the only
way it can detect vulnerabilities is by performing likely attacks on the target
application. Time required for scanning varies, but doing a broad simulated attack
on an application takes significantly longer than doing a network vulnerability scan
against a single IP. A major requirement for a web application vulnerability scanner
is comprehensive coverage of the target application’s functionality. Incomplete
coverage will cause the scanner to overlook existing vulnerabilities.
Web Application Security: How to Minimize Prevalent Risks of Attack page 6

QualysGuard WAS Automatically Detects

Major Web Application Vulnerabilities
The QualysGuard Web Application Scanning (WAS) solution is an on demand
service integrated into the QualysGuard security and compliance Security-as-a-
Service (SaaS) suite. Use of the QualysGuard WAS presumes no specialized
knowledge of web security. The service allows a network security or IT administrator
to execute comprehensive, accurate vulnerability scans on custom web applications
such as shopping carts, forms, login pages, and other types of dynamic content.
The broad scope of coverage focuses tests on Web application security.

Key Benefits. WAS automates repeatable techniques used to identify the most
prevalent web vulnerabilities, such as SQL injection and cross-site scripting. It
combines pattern recognition and observed behaviors to accurately identify and
verify vulnerabilities. The WAS service identifies and profiles login forms, session
state, error pages, and other customized features of the target application – even if
it extends across multiple web sites. This site profile data helps WAS to adapt to
changes as the web application matures. Adaptability enables the scanner to be
used against unknown or legacy web applications that may carry little information
about error pages or other behavior. As a result, WAS delivers highly accurate
detection and reduces false positives. The automated nature of Web Application
Scanning enables regular testing that produces consistent results and easily scales
for large numbers of web sites.

Current Features. The table describes comprehensive capabilities in

QualysGuard WAS to assess and track web application vulnerabilities. Qualys
plans to add other features during Q2/Q3 2009.

Crawling & Link Embedded web crawler parses HTML and some
Discovery JavaScript to extract links. Automatically balances
breadth and depth of discovered links to crawl up to
5,000 links per web application.

Authentication HTTP Basic and NTLM server-based authentication.

Simple form authentication.

Black List Prevents crawler from visiting certain links in a web

application.

White List Instructs the crawler to only visit links explicitly defined
in this list.

Performance User-determined bandwidth level for parallel scanning

Tuning to control impact on application performance.

Sensitive Content Enables user-specified expression search for content

in HTML, such as a Social Security Numbers.
Web Application Security: How to Minimize Prevalent Risks of Attack page 7

Reports such as the Web Application Scorecard provide big-picture and drill-down
visibility on vulnerabilities for each web application

Operations. QG WAS is delivered as an on demand service fully integrated with

the QualysGuard solutions already in use by thousands of customers for vulnerability
management and policy compliance. Users can manage web applications, launch
scans, and generate reports with the familiar interface of the QualysGuard web
interface. WAS scans may be pre-scheduled or executed on demand. The WAS
service can be scaled to the largest web applications hosted anywhere in the
world. Account rights management allows an organization to centrally control
which web applications may be scanned by individual users.

Finally, with QualysGuard WAS, at least one person in your organization must be
responsible for managing remediation of vulnerabilities found in your web applications.

Protect Your Web Applications

The QualysGuard Web Application Scanning service will help your organization
immediately begin identifying the most prevalent security vulnerabilities open to
criminal exploit. The scanner will be a powerful supplement to existing security
efforts such as source code analysis and penetration testing. The latter controls are
necessary, but QualysGuard WAS will automate detection testing for the majority of
threats – the kinds you read about when data thieves breach confidential informa-
tion via web applications. In addition to comprehensive testing and accurate
detection, QualysGuard WAS is cost effective. Just like QualysGuard, WAS is an
easy-to-use on demand service allowing administrators to execute scans without
any special knowledge of web application security.
Web Application Security: How to Minimize Prevalent Risks of Attack page 8

QualysGuard WAS trials are available now. General public release is scheduled for
April 2009. If you would like a free trial of the QualysGuard WAS, please contact
Qualys to get started.

About Qualys
Qualys, Inc. is the leading provider of on demand IT security risk and compliance
management solutions – delivered as a service. Qualys’ Software-as-a-Service
solutions are deployed in a matter of hours anywhere in the world, providing
customers an immediate and continuous view of their security and compliance
postures. The QualysGuard® service is used today by more than 3,500 organizations
in 85 countries, including 40 of the Fortune Global 100 and performs more than
200 million IP audits per year. Qualys has the largest vulnerability management
deployment in the world at a Fortune Global 50 company. Qualys has established
strategic agreements with leading managed service providers and consulting
organizations including BT, Etisalat, Fujitsu, IBM, I(TS)2, LAC, SecureWorks,
Symantec, Tata Communications, TELUS and VeriSign.

For more information, please visit www.qualys.com.

USA – Qualys, Inc. • 1600 Bridge Parkway, Redwood Shores, CA 94065 • T: 1 (650) 801 6100 • [email protected]
UK – Qualys, Ltd. • 224 Berwick Avenue, Slough, Berkshire, SL1 4QT • T: +44 (0) 1753 872101
Germany – Qualys GmbH • München Airport, Terminalstrasse Mitte 18, 85356 München • T: +49 (0) 89 97007 146
France – Qualys Technologies • Maison de la Défense, 7 Place de la Défense, 92400 Courbevoie • T: +33 (0) 1 41 97 35 70
Japan – Qualys Japan K.K. • Pacific Century Place 8F, 1-11-1 Marunouchi, Chiyoda-ku, 100-6208 Tokyo • T: +81 3 6860 8296
United Arab Emirates – Qualys FZE • P.O Box 10559, Ras Al Khaimah, United Arab Emirates • T: +971 7 204 1225
www.qualys.com China – Qualys Hong Kong Ltd. • Suite 1901, Tower B, TYG Center, C2 North Rd, East Third Ring Rd, Chaoyang District, Beijing • T: +86 10 84417495

© Qualys, the Qualys logo and QualysGuard are registered trademarks of Qualys, Inc. All other trademarks are the property of their respective owners. 03/09