PROTECTING AGAINST WEB APP ATTACKS

Stephen Coty

Chief Security Evangelist, Alert Logic

Threats by Customer Environment

CMS Specific Attacks

• OpenSource Platforms

• High concentration of vulnerabilities within these web frameworks

• High usage and easy asset visibility via web search

• Availability of automated exploit kits combined with advanced search queries via simple

methods like Google Dorks

SQL Injection Last 60 Days - 091217

Profile - Inj3ct0r Team

Vulnerabilities

+ Change

+ Shortage

Complexity of defending web applications and workloads

Risks are moving up the stack

1. Wide range of attacks at every

layer of the stack

2. Rapidly changing codebase can

introduces unknown vulnerabilities

3. Exposure inherited from 3rd party

development tools

4. Extreme shortage of cloud and

application security expertise

Web App

AttacksOWASP

Top 10

Platform /

Library

Attacks

System /

Network

Attacks

Perimeter & end-point security tools

fail to protect cloud attack surface

Web Apps

Server-side Apps

App Frameworks

Dev Platforms

Server OS

Hypervisor

Databases

Networking

Cloud Management

Web Application Security

Web Apps

Server-side Apps

App Frameworks

Dev Platforms

Server OS

Hypervisor

Databases

Networking

Cloud Management

Web Application Vulnerability Example

CVE-1999-0278 – in IIS, remote attackers can obtain source code for ASP files by appending “::$DATA” to the URL

Patch MS98-003

Web Apps

Server-side Apps

App Frameworks

Dev Platforms

Server OS

Hypervisor

Databases

Networking

Cloud Management

HACKER RECON METHODS

Hacker Recon Methods

Crawling Target Website

Mass Vulnerability Crawl

Open Forums

Dark Web

Web Apps

Server-side Apps

App Frameworks

Dev Platforms

Server OS

Hypervisor

Databases

Networking

Cloud Management

Crawling Target Website

• Manual- Browse the website as a normal user

- Gather email addresses, related domains and domain info

- Web application code languageo Revision

o Plug-ins

- Web server OS

- User input pages

- Directory structure

- Backend systems

• Software tools- Find hidden forms, software version, js files, links and comments

Targeted Attacks

• Scanning IP Internet Assets

• Application/Network Vulnerability Scan

• Careers Page

• Research Technologies

• Social Media Profiling

• Phishing Email

• Escalate Privileges

• Maintain Access

• Exfiltration of Data

Attacks of Opportunity

• Vulnerability Database Monitoring

• Block Network Vulnerability Scanning

• Google Dorking

• Shodan

• Application Vulnerability Scan

Mass Vulnerability Crawl - Example

• Google Dorking – (aka Google hacking) Uses the search engine to find difficult information using complex, detailed search queries

- Plug in search string to find vulnerable websites

- Some have preset search strings

- Search results are dynamic

- Timing is everything

o Target system could be patched

o Other hackers got there first

Open Forums – Example

Open Forums - Example

• Vulnerability details

- Date reported

- Type of vulnerability

- Platform impacted

- Author (not shown)

- Verification (time permitting)

- Link to infected application (some)

Targeted - Dark Web

• Encrypted network

• Restricted access between Tor servers and clients

• Collection of DBs and communication channels

• Hidden from conventional search engines

• Shares some features with Open Forums

• More advanced resources and tools

FROM WEB APPS TO PRIVILEGED ACCESS

Privileged Access For Your Resources

• Mostly Corporate Espionage and State Sponsored

- Utilize Current Access to the Environment

- Create Remote Access Services

- Create Temporary Storage

- Create Scheduler

- Open Security Groups for Transmissions

- Utilize Current Access to the Environment

- Receive and Deliver Data Regularly

Privileged Access For Your Data

• Code analysis

- Account information

o Usernames and passwords

o Plain text or hashed

- Software tools

o Web search

o Scan to identify

• Usernames & passwords

o Brute force to crack encryption

o Throttle tools to avoid detection

o Offline may be an option

Privileged Access To Target Your Customers

• Session Hijacking

- Obfuscated code

o Embedded in images

o Mouse-over techniques

- Proxy replay

- Malicious binary

- Session cookies

- Java script injection

- Cross-site scripting

- Routine system maintenance

- Bind shell

REMEDIATION STRATEGIES

Secure Your Code

• Test inputs that are open to the Internet

• Add delays to your code to confuse bots

• Use encryption when you can

• Test libraries

• Scan plugins

• Scan your code after every update

• Limit privileges

• DevSecOps

Create Access Management Policies

• Identify data infrastructure that requires access

• Define roles and responsibilities

• Simplify access controls

• Key Management System (KMS)

• Continually audit access

• Start with a least privilege access model

IDENTITY and ACCESS

MANAGEMENT

Adopt a Patch Management Approach

• Constantly scan all production systems

• Compare reported vulnerabilities to production infrastructure

• Classify the risk based on vulnerability and likelihood

• Test patches before you release into production

• Setup a regular patching schedule

• Keep informed, follow bugtraqer

• Golden Images

• Reference Architecture, Formation Templates

Understand Your Service Providers Security Model

Azure Platform Services

Security & Manageme

nt

Azure Infrastructure Services

Web Apps

MobileApps

APIManagement

APIApps

LogicApps

NotificationHubs

Content DeliveryNetwork (CDN)

MediaServices

HDInsight MachineLearning

StreamAnalytics

DataFactory

EventHubs

MobileEngagement

ActiveDirectory

Multi-FactorAuthentication

Portal

Key Vault

BiztalkServices

HybridConnections

ServiceBus

StorageQueues

Store /Marketplace

HybridOperations

Backup

StorSimple

SiteRecovery

Import/Export

SQLDatabase

DocumentDB

RedisCache

Search

Tables

SQL DataWarehouse

Azure AD Connect Health

AD PrivilegedIdentity Management

OperationalInsights

CloudServices

Batch Remote App

ServiceFabric Visual Studio

ApplicationInsights

Azure SDK

Team Project

VM Image Gallery& VM Depot

Azure SecurityCenter

Automation

Understand Your Service Providers Security Model

Security Management and Monitoring Strategy

• Monitoring for malicious activity

• Scanning Services

• Forensic investigations

• Compliance needs

• System performance

• All sources of log data is collected

• Data types (OS, CMS, DB, Web)

• WAF

• Correlation logic

• IAM behavior

• IDS Network traffic

• FIM Logs

• Focused security research

• Security content creation

• Review process

• Live monitoring

Follow our Research & Stay Informed on the Latest Vulnerabilities

Blog

https://www.alertlogtic.com/resources/blog

Newsletter

https://www.alertlogic.com/weekly-threat-report/

Cloud Security Report

https://www.alertlogic.com/resources/cloud-security-report/

Zero Day Magazine

https://www.alertlogic.com/zerodaymagazine/

Twitter

@AlertLogic @StephenCoty @_PaulFletcher

Websites to follow:

• http://www.securityfocus.com

• http://www.exploit-db.com

• http://seclists.org/fulldisclosure/

• http://www.securitybloggersnetwork.com/

• http://cve.mitre.org/

• http://nvd.nist.gov/