1

F5
Application
Security

Radovan Gibala
Field Systems Engineer
[email protected]
+420 731 137 223

2007
 2

Agenda
Challenge Websecurity – What are the problems?
Building blocks of Web Applications
Vulnerabilities and protection strategies
Websecurity with a Web Application Firewall (WAF)
Security Policy Setups
Deployment Methods
Attacking the Application
How to mitigate the risk in Web Applications with ASM
 3

Market Trends
Webalization of Critical Applications

Mission-Critical Applications Business-Critical Applications

ERP, CRM, SCM Advantages of Voice, Data and

Video Integration
- With access from Internet
Profitability Increase

Data Centre Consolidation

Centralization of Applications and

Access from Internet

XML-based Web Services Mobile Applications

Access and Usage of

B2B Business Processes over Applications from Mobile
Web Services / XML (private ?) Devices
 4

Security’s Gaping Hole

“64% of the 10 million

security incidents tracked
targeted port 80.” DATA
Information Week
 5

Web Application Security

Attacks Now Look To

!Non-
Perimeter Security
Is Strong
Exploit Application
Vulnerabilities
Buffer Overflow
compliant
Cross-Site Scripting
Information
SQL/OS Injection PORT 80

Cookie Poisoning
Hidden-Field Manipulation
PORT 443 !
Forced
Parameter Tampering Access to
But Is Open
!
Infrastructural
to Web Traffic
Information

High
Intelligence Information
Density
=
High Value
Attack
 6

Why Are Web Applications

Vulnerable?
New code written to best-practice methodology, but not
tested properly
New type of attack not protected by current methodology
New code written in a hurry due to business pressures
Code written by third parties; badly documented, poorly
tested – third party not available
Flaws in third party infrastructure elements
Session-less web applications written with client-server
mentality
 7

Solution Sentences for Application

Security

Make Bug-free applications

Network Firewalls + Marketing

Tools in the Web Servers

Infrastructure Solutions
 8

Traditional Alternative: Rely Exclusively on the

Developer Application Patching

Application Logic Application Optimization

1+1=2

Application Security Application Scalability

Application Integration Application Availability

Application Performance
 9

Web Application Protection Strategy

Best
Automated
Practice
& Targeted
Design
Testing
Methods
Only protects against known Web Done periodically; only
vulnerabilities Apps as good as the last test
Difficult to enforce; especially
Only checks for known
with sub-contracted code
vulnerabilities
Only periodic updated; large
exposure window Does it find everything?
Web
Application
Firewall

Real-time 24 x 7 protection
Enforces Best Practice Methodology
Allows immediate protection against
new vulnerabilities
 10

Web Applications Increasingly

Under Attack
High information density in the core
Flaws in applications & 3rd party software
Traditional security does not protect web apps.
Gaping hole in perimeter security for web traffic
SANS (November 2006) - Top Vulnerabilities in Cross-Platform Applications

C1. Backup Software

C2. Anti-virus Software
C3. PHP-based Applications (50% of all Apache installations worldwide use php!)
C4. Database Software
...
C6. DNS Software
...
C9. Mozilla and Firefox Browsers
...
 11

Application Security Lacks Test

...or: „The Point of Truth“

Simple Version:
– Does your WAF discover that the Price of an Item on an Online Shop was
changed ?

Technical Version:
– OWASP (http://www.owasp.org/index.php/OWASP_Top_Ten_Project )
1. Unvalidated Input
2. Broken Access Control
3. Broken Authentication and Session Management
4. Cross Site Scripting
5. Buffer Overflow
6. Injection Flaws
7. Emproper Error Handling
8. Insecure Storage
9. Application Denial of Service
10. Insecure Configuration Management

OWASP Top 10 / January 2007
A1 – Cross Site Scripting (XSS)
A2 – Injection Flaws
A3 – Insecure Remote File Include
A4 – Insecure Direct Object Reference
A5 – Cross Site Request Forgery (CSRF)
A6 – Information Leakage and Improper
Error Handling
A7 – Broken Authentication and Session
Management
A8 – Insecure Cryptographic Storage
A9 – Insecure Communications
A10 – Failure to Restrict URL Access
12
XSS flaws occur whenever an application takes user supplied data and sends it to a web
browser without first validating or encoding that content. XSS allows attackers to execute
script in the victim’s browser which can hijack user sessions, deface web sites, etc.
Injection flaws, particularly SQL injection, are common in web applications. Injection occurs
when user-supplied data is sent to an interpreter as part of a command or query. The
attacker’s hostile data tricks the interpreter into executing unintended commands or
changing data.
Code vulnerable to remote file inclusion allows attackers to include hostile code and data,
resulting in devastating attacks, such as total server compromise.
A direct object reference occurs when a developer exposes a reference to an internal
implementation object, such as a file, directory, database record, or key, as a URL or form
parameter. Attackers can manipulate those references to access other objects without
authorization.
A CSRF attack forces a logged-on victim’s browser to send a pre-authenticated request to a
vulnerable web application, which then forces the victim’s browser to perform a hostile
action to the benefit of the attacker.
Applications can unintentionally leak information about their configuration, internal workings,
or violate privacy through a variety of application problems. Attackers use this weakness
to violate privacy, or conduct further attacks.
Account credentials and session tokens are often not properly protected. Attackers
compromise passwords, keys, or authentication tokens to assume other users’ identities.
Web applications rarely use cryptographic functions properly to protect data and credentials.
Attackers use weakly protected data to conduct identity theft and other crimes, such as
credit card fraud.
Applications frequently fail to encrypt network traffic when it is necessary to protect sensitive
communications.
Frequently, the only protection for sensitive areas of an application is links or URLs are not
presented to unauthorized users. Attackers can use this weakness to access and perform
unauthorized operations.
 13

n-tier Web Application Layer

 14

Where does Application Security

make Sense ? Option 4
Option 2 Option 3 Application Security, Option 1
Routing, ACL Network Security Optimization & Delivery Application Core
Functionality

“A combined application BIG-IP LTMdelivery

Application
Router
controller
Firewall
and Web application
Security Manager
firewall,
Web App. Database
rather than stand-alone Application Layer Server Server
Security, Acceleration,
Network Layer
Security
products,
Session Layer
Security
provides a&single-vendor
Availability
Packet Filtering relationship
Stateful Inspection and performance
Pros:
• Application Fluent
Pros:
• First point of entry
improvements.
Pros:
• Experienced in
“ • Already used as SSL proxy Pros:
• Very specific to each
for applications
Cons:
• Zero application
Gartner Research • High performance Layer 7
Network security
• Has some session &
application type and
vendor
processing
fluency app protocol awareness • Stronger support for L7
• Wrong location Cons: protocol validation Cons:
• No support for SSL • No application fluency • Perfect location directly in front • Complex to manage
• Too little and • Out in DMZ / wrong of applications and servers • Costly to implement
expensive location Cons: inside each application
processing power • Not optimized for L7 • Less focus on Layer 2/3 • Error-prone
processing security • In-efficient and re-active
• Cannot filter encrypted
content
• Less focus on SSL
 15

Traditional Security Doesn’t Protect Web

Applications Looking at the wrong
thing in the wrong place

Application Network
Firewall IPS
Firewall
Known Web Worms  Present Present

Unknown Web Worms  Present Present

Known Web Vulnerabilities  Present Present

Unknown Web Vulnerabilities  Present Present

Illegal Access to Web-server files  Present Present

Forceful Browsing  Present Present

File/Directory Enumerations  Present Present

Buffer Overflow  Present Present

Cross-Site Scripting  Present Present

SQL/OS Injection  Present Present

Cookie Poisoning  X X
Hidden-Field Manipulation  X X
Parameter Tampering  X X
 16

Application Security with a WAF

!
Unauthorised
And Stops
Bad !Non-
Access Requests compliant
Information

WAF Allows
Browser
! Legitimate Requests
Unauthorised
!
Infrastructural
Access Intelligence

Bi-directional:
– Inbound: protection from generalised & targeted attacks
– Outbound: content scrubbing & application cloaking
Application content & context aware
High performance, low latency, high availability, high
security
Policy-based full proxy with deep inspection & Java support
Positive security augmenting negative security
Central point of application security enforcement
 17

Application Security with a WAF

Intelligent Decisions
Allow Only Good
Application Behaviour;
Positive Security

Definition of Good
Browser and Bad Behaviour
 18

Negative vs. Positive Security Model

Negative Security Model

– Lock Known Attacks
– Everything else is Allowed
– Patches implementation is quick and easy (Protection against Day
Zero Attacks)

Positive Security Model

– (Automatic) Analysis of Web Application
– Allow wanted Transactions
– Everything else is Denied
– Implicit Security against New, yet Unknown Attacks (Day Zero Attacks)
 19

Flexible Policy Granularity

Search for: ‘command injection’

Single quote is a command delimiter:

• Best practice to disallow from parameters wherever possible
• Easiest to achieve with a generic policy applied to the whole
site
BUT . . .

User Name: O’Connor

Single quote needed in some parameters:

• Need to be able to selectively relax policy – eg
single quote allowed in this parameter
• Need to limit use within relaxed policy – eg only one
single quote allowed in this parameter
 20

Support of dynamic values

 21

Example: SAP Application

Protect the session information in the URI

– https://saptest.xyz.de/sap(bD1kZSZjPTAxMA==)/...

Protect dynamic parameter names and values

– &Tdokfilter_subdok_dokstrukturK2_Y123456789103459
185=F
 22

Selective Application Flow

Enforcement

!
ALLOWED

Username
From Acc. $ Amount
Password To Acc. Transfer

? !
!
VIOLATION
VIOLATION

This part of the site is a

• Should this be a violation? financial transaction that
• The user may have requires authentication; we
should enforce strict flow
bookmarked the page!
• Unnecessarily enforcing flow and parameter validation
can lead to false positives.
 23

XML Firewall
Well formatted validation
Schema/WSDL validation
Methods selection
Attack signatures for XML platforms
Backend Parser protection
XML islands application protection
Full request Logging
 24

Flexible Deployment Options

Tighter OBJECT FLOWS POLICY

Security TIGHTENING
Posture SUGGESTIONS
PARAMETER VALUES
Policy-Building Tools
• “Trusted IP” Learning
PARAMETER NAMES
• Live Traffic Learning
Typical
‘standard’ • Crawler
starting point OBJECT NAMES • Negative RegEx
• Template

OBJECT TYPES
 25

Flexible Policy Granularity

Generic Policies - Policy per object type
– Low number of policies
– Quick to implement
– Requires little change management
– Can’t take application flow into account

Optimum policy is often a hybrid

Specific Policies – Policy per object
– High number of policies
– More time to implement
– Requires change management policy
– Can enforce application flow
– Tightest possible security
– Protects dynamic values
 26

WAF deployment with the BIG-IP

LTM & ASM
Web Servers

BIG-IP with

Firewall ASM

Internet

Management Access
(browser)

ASM = Application Security Manager

 27

Link Collection www.f5.com

Overall www.f5.com
Technical ask.f5.com
devcentral.f5.com

F5 University www.f5university.com/
» Login: your email
» Password: adv5tech
Partner Informaiotn
www.f5.com/partners
www.f5.com/training_services/certification/certFAQ.html
Gartner Report http://mediaproducts.gartner.com/reprints/f5networks/article1/article1.html

Important deployment information is available at http://www.f5.com/solutions/deployment/

Data Center Virtualization
Application Traffic Management
Application Briefs
Solution Briefs
F5 Compression and Cache Test
F5 iControl Alliance Partners
F5 Technology Alliance Partners
http://www.f5.com/solutions/technology/pdfs/dc_virtualization_wp.pdf
http://www.f5.com/solutions/technology/pdfs/atm_wp.pdf
http://www.f5.com/solutions/applications/
http://www.f5.com/solutions/sb/
http://www.f5demo.com/compression/index.php
http://www.f5.com/solutions/partners/iControl/
http://www.f5.com/solutions/partners/tech/

Let us know if you need any clarification or you have any further questions.
 28

F5 is the Global Leader in

Application Delivery Networking

Users Data Centre

Application
Delivery
At Home Network SAP
In the Office Microsoft
On the Road Oracle

Business goal: Achieve these objectives in the

most operationally efficient manner
29