Keross: Mitigating Web Application Vulnerabilities
February 2010 by Keross
Today’s push for cost-effective and easy-deployable solutions have opened up a world of web applications – applications delivered via the web browser (internet or intranet). Web applications bring some clear advantages – accessibility, ubiquity among web browsers, and the lack of intensive client-side requirements to access these applications. However, this same flexibility poses a directly proportional threat.
The world has opened itself up to a new range of problems – maintaining confidentiality, integrity and availability in a complex, extensive and easily accessible environment. The number of variables is increasing with time, and technology is moving too fast for software development and patches. In IBM Trend & Risk report for 2008, Web applications accounted for 55% of total vulnerability disclosures, with PC software coming in second at 20%. This means that Web application vulnerabilities are as widespread as Web applications themselves.
The second problem is that Web application vulnerabilities such as cross-site scripting (XSS), SQL injections, buffer overflow and file-include vulnerabilities tend to fall outside the scope of traditional network security experts. This gap in skill-set, coupled with the ease of finding such vulnerabilities – many free tools, , including a Firefox plugin, check for SQL injection vulnerabilities – makes this a trickier subject to tackle.
Patch Availability for Web Applications, 2008: Current research also indicates that a huge number of Web application vulnerabilities do not have vendor supplied patches to resolve the issue – a staggering 74% in 2008.
Types of vulnerabilities: The Web Conferencing Blog divides web application vulnerabilities into the following general categories:
• Authentication & Authorization attacks
• Client-side Attacks include spoofing, Cross-site scripting (XSS)
• Command Execution attacks, such as buffer overflow, SQL injection
• Information Disclosure attacks, such as directory indexing
• Logical Attacks, such as Denial-of-Service
Cross-site Scripting (XSS): Cross-site scripting (XSS) vulnerabilities allow attackers to inject code into the web application, which is then viewed by users. When exploited, such vulnerabilities would allow the attacker to bypass access controls. A common example is a phishing attack. As of 2007, these formed 80% of reported vulnerabilities.
Web Application Vulnerabilities by attack method
SQL Injection: SQL injection vulnerability uses SQL statements and syntax on a Web site application to inject commands that could alter the database or results of the query.
Buffer overflow: Buffer overflow vulnerabilities overwrite parts of the memory used by the web application. Exploits of this vulnerability can cause exceptions, segmentation faults and other errors.
File Include: File Include vulnerabilities allow attackers to include entire files into existing scripts. This is especially true for scripting-based languages, such as PHP, caused by allowing unchecked user data in directives.
Preventive Mitigation: Before engaging active methods of detecting these vulnerabilities, preventive mitigation must first be performed. Vulnerability management systems should be expanded to include Web application vulnerability mechanisms as well. Various automated tools that focus on web application vulnerabilities are available to be implemented that can help detect and secure certain vulnerabilities.
According to the Web Application Security Consortium, the selected tools should be able to do the following,
Service Detail Description
Link Discovery A good tool should be able to crawl through the web application to extract links within the Web application
Authentication The tool should be able to authenticate itself on web application forms
Sensitive Content The scanner should be able to identify sensitive content such as credit card numbers, SSN, etc and possibly user-defined strings
Once mechanisms are in action for detecting Web application vulnerabilities, checking for Web site availability is a crucial method to detect an attack. In addition to preventive means, such tools provide for an active check of current status of Web apps, by checking port and site availability as well as round-trip time (RTT), notifying administrators in case there are issues with both availability, and processing time of these applications. These are valuable early indicators of attacks on availability and Denial-of-Service attacks.
Business Continuity Plan
In addition to attack detection, a business continuity plan with fault-tolerant systems should be implemented. This means that even after an attack, the business can continue to operate while safeguards are being determined. A BCP is crucial to the functioning of the organization as well as mitigating risk in the form of time, resource and money.
Implementing a strong mitigation process requires appropriate procedures and guidelines to be established. Such procedures will ensure that the vulnerability management system is used frequently, efficiently and that necessary actions are taken post scan to mitigate the vulnerabilities themselves. Standard Operating Procedures, Vulnerability Mitigation Processes and Disaster Recovery Plans should be written, validated, in action and audited. Security managers need to deal with a more strategic role, establishing strong mechanisms as well as a strong legal and contractual framework allowing for independent audits, compliance, best practices while maintaining data privacy, control and ownership.
A strong penetration testing program geared towards security issues with Web applications is the next step. Such a testing program will ensure that the preventive and proactive methods are in place, in use and efficient. A pen-testing program will provide an independent and throughout investigation of the processes in place. A good penetration testing program should check for:
• Known vulnerabilities
• Technical vulnerabilities (as described above)
• Business logic errors (unauthorized fund transfer, personal information modification)
Overall Network Security Processes
The best security model is always defense-in-depth. While activities geared towards mitigation of web application vulnerabilities are essential, the general security program must be also be re-assessed. Vulnerability Management systems, mitigation and business continuity plans should be updated and current. Infrastructure Management systems should be checked and controls updated to ensure that attacks are detected quickly and fail-over is smooth.
There is no doubt that Web applications today are widespread, and that vulnerabilities catered towards Web applications form a separate category of their own. 74% of Web application vulnerabilities last year did not have a vendor-supplied patch – this highlights the danger where technology is fast out-growing the software development cycle.
Security managers today have to align themselves to dealing with a new wave. A mitigation approach needs to be comprehensive and proactive; the plan must look to cover preventive methods by using automated and manual tests, proactive action upon detection of an attack as well as a strong business continuity plan in the event of an attack or failure.
Sample Web Application scan results
At Keross, our Vigilant 360 Security Suite looks after on-going Vulnerability Management, now also including Web Application Scanning. Scanners provide inference-based scanning checks for specific Web Application Vulnerabilities, providing a detailed reports for XSS, SQL Injection and File Includes. In addition to confidentiality and integrity, we provide detailed availability and performance checks to ensure that if there’s a problem, you are aware of it immediately and can take measures right away. We stay comprehensive, so you can relax.